AWS S3

Connecting AWS S3 Access logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) S3 logs via an S3 bucket.

How to onboard AWS S3 logs to Panther

To pull S3 logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS S3 Server Access.

  5. Select AWS S3 Bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for Data Transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Querying logs in Data Explorer

See example SQL queries, for use in Panther's Data Explorer, in S3 Access logs queries.

Supported AWS S3 logs

AWS.S3ServerAccess

S3ServerAccess is an S3 access log. For more information, see AWS's documentation on S3 log format.

schema: AWS.S3ServerAccess
description: S3ServerAccess is an AWS S3 Access Log.
referenceURL: https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html
fields:
  - name: bucketowner
    required: true
    description: The canonical user ID of the owner of the source bucket. The canonical user ID is another form of the AWS account ID.
    type: string
  - name: bucket
    description: The name of the bucket that the request was processed against. If the system receives a malformed request and cannot determine the bucket, the request will not appear in any server access log.
    type: string
  - name: time
    description: The time at which the request was received (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: remoteip
    description: The apparent internet address of the requester. Intermediate proxies and firewalls might obscure the actual address of the machine making the request.
    type: string
  - name: requester
    description: The canonical user ID of the requester, or NULL for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.
    type: string
  - name: requestid
    description: A string generated by Amazon S3 to uniquely identify each request.
    type: string
  - name: operation
    description: The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.
    type: string
  - name: key
    description: The key part of the request, URL encoded, or NULL if the operation does not take a key parameter.
    type: string
  - name: requesturi
    description: The Request-URI part of the HTTP request message.
    type: string
  - name: httpstatus
    description: The numeric HTTP status code of the response.
    type: bigint
  - name: errorcode
    description: The Amazon S3 Error Code, or NULL if no error occurred.
    type: string
  - name: bytessent
    description: The number of response bytes sent, excluding HTTP protocol overhead, or NULL if zero.
    type: bigint
  - name: objectsize
    description: The total size of the object in question.
    type: bigint
  - name: totaltime
    description: The number of milliseconds the request was in flight from the server's perspective. This value is measured from the time your request is received to the time that the last byte of the response is sent. Measurements made from the client's perspective might be longer due to network latency.
    type: bigint
  - name: turnaroundtime
    description: The number of milliseconds that Amazon S3 spent processing your request. This value is measured from the time the last byte of your request was received until the time the first byte of the response was sent.
    type: bigint
  - name: referrer
    description: The value of the HTTP Referer header, if present. HTTP user-agents (for example, browsers) typically set this header to the URL of the linking or embedding page when making a request.
    type: string
  - name: useragent
    description: The value of the HTTP User-Agent header.
    type: string
  - name: versionid
    description: The version ID in the request, or NULL if the operation does not take a versionId parameter.
    type: string
  - name: hostid
    description: The x-amz-id-2 or Amazon S3 extended request ID.
    type: string
  - name: signatureversion
    description: The signature version, SigV2 or SigV4, that was used to authenticate the request or NULL for unauthenticated requests.
    type: string
  - name: ciphersuite
    description: The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or NULL for HTTP.
    type: string
  - name: authenticationtype
    description: The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or NULL for unauthenticated requests.
    type: string
  - name: hostheader
    description: The endpoint used to connect to Amazon S3.
    type: string
  - name: tlsVersion
    description: "The Transport Layer Security (TLS) version negotiated by the client. The value is one of following: TLSv1, TLSv1.1, TLSv1.2; or NULL if TLS wasn't used."
    type: string
  - name: accesspointarn
    description: "The Amazon Resource Name (ARN) of the access point of the request."
    type: string
  - name: aclrequired
    description: "A string that indicates whether the request required an access control list (ACL) for authorization."
    type: string
  - name: additionalFields
    description: The remaining columns in the record as an array.
    type: array
    element:
      type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated