AWS Aurora

Connecting AWS Aurora MySQL Relational Database Service (RDS) logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Aurora MySQL Relational Database Service (RDS) logs via AWS S3.

How to onboard AWS Aurora logs to Panther

To pull Aurora logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS Aurora MySQL.

  5. Select AWS S3 Bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for data transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported AWS Aurora logs

AWS.AuroraMySQLAudit

AuroraMySQLAudit is an RDS Aurora audit log containing context on database calls. For more information, see AWS's documentation on Aurora MySQL database cluster auditing.

schema: AWS.AuroraMySQLAudit
parser:
  native:
    name: AWS.AuroraMySQLAudit
description: AuroraMySQLAudit is an RDS Aurora audit log which contains context around database calls.
referenceURL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html
fields:
  - name: timestamp
    description: The timestamp for the logged event with microsecond precision (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: serverHost
    description: The name of the instance that the event is logged for.
    type: string
  - name: username
    description: The connected user name of the user.
    type: string
  - name: host
    description: The host that the user connected from.
    type: string
  - name: connectionId
    description: The connection ID number for the logged operation.
    type: bigint
  - name: queryId
    description: The query ID number, which can be used for finding the relational table events and related queries. For TABLE events, multiple lines are added.
    type: bigint
  - name: operation
    required: true
    description: 'The recorded action type. Possible values are: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, and DROP.'
    type: string
  - name: database
    description: The active database, as set by the USE command.
    type: string
  - name: object
    description: For QUERY events, this value indicates the executed query. For TABLE events, it indicates the table name.
    type: string
  - name: retCode
    description: The return code of the logged operation.
    type: bigint

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated