AWS Transit Gateway

Connecting Transit Gateway Flow logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Transit Gateway Flow logs via AWS S3.

How to onboard AWS Transit Gateway logs to Panther

To pull Transit Gateway logs into Panther, you need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS Transit Gateway Flow.

  5. Select AWS S3 Bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for data transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported AWS Transit Gateway logs

AWS.TransitGatewayFlow

TransitGatewayFlow logs enable you to capture information about the IP traffic going to and from your transit gateways.

Note that for Panther to properly ingest TransitGatewayFlow logs, they must come directly from S3, in CSV format with a header.

For more information, see AWS's documentation on Transit Gateway Flow Logs.

schema: AWS.TransitGatewayFlow
parser:
    native:
        name: AWS.TransitGatewayFlow
description: TransitGatewayFlow logs enable you to capture information about the IP traffic going to and from your transit gateways.
referenceURL: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html
fields:
    - name: version
      description: The Transit Gateway Flow Logs version. If you use the default format, the version is 2.
      type: bigint
    - name: resourceType
      description: Where the subscription was created, either TransitGateway or TransitGatewayAttachment.
      type: string
    - name: accountId
      description: The AWS account ID owner of the transit gateway.
      type: string
      indicators:
        - aws_account_id
    - name: tgwId
      required: true
      description: The ID of the transit gateway for which traffic is being recorded.
      type: string
    - name: tgwAttachmentId
      description: The ID of the transit gateway attachment for which traffic is being recorded.
      type: string
    - name: tgwPairAttachmentId
      description: Depending on the flow direction, this is either the egress or ingress attachment ID of the flow.
      type: string
    - name: protocol
      description: The IANA protocol number of the traffic.
      type: bigint
    - name: packets
      description: The number of packets transferred during the flow.
      type: bigint
    - name: bytes
      description: The number of bytes transferred during the flow.
      type: bigint
    - name: start
      required: true
      description: The time of the start of the flow (UTC).
      type: timestamp
      timeFormats:
        - unix
      isEventTime: true
    - name: end
      description: The time of the end of the flow (UTC).
      type: timestamp
      timeFormats:
        - unix
    - name: logStatus
      description: 'The logging status of the flow log. OK: Data is logging normally to the chosen destinations. NODATA: There was no network traffic to or from the network interface during the aggregation interval. SKIPDATA: Some flow log records were skipped during the aggregation interval. This might be because of an internal capacity constraint, or an internal error.'
      type: string
    - name: type
      description: 'The type of traffic: IPv4, IPv6, or EFA.'
      type: string
    - name: packetsLostNoRoute
      description: The packets lost due to no route being specified.
      type: bigint
    - name: packetsLostBlackhole
      description: The packets lost due to a black hole.
      type: bigint
    - name: packetsLostMtuExceeded
      description: The packets lost due to the size exceeding the MTU.
      type: bigint
    - name: packetsLostTtlExpired
      description: The packets lost due to the expiration of time-to-live.
      type: bigint
    - name: tcpFlags
      description: 'The bitmask value for the following TCP flags: FIN: 1, SYN: 2, RST: 4, PSH: 8, ACK: 16, SYN-ACK: 18, URG: 32. When a flow log entry consists of only ACK packets, the flag value is 0, not 16. TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN.'
      type: bigint
    - name: region
      description: The Region that contains the transit gateway where traffic is recorded.
      type: string
    - name: flowDirection
      description: 'The direction of the flow with respect to the interface where traffic is captured. The possible values are: ingress | egress.'
      type: string
    - name: tgwSrcVpcAccountId
      description: The AWS account ID for the source VPC traffic.
      type: string
      indicators:
        - aws_account_id
    - name: tgwSrcVpcId
      description: The ID of the source VPC for the transit gateway
      type: string
    - name: tgwSrcSubnetId
      description: The ID of the subnet for the transit gateway source traffic.
      type: string
    - name: tgwSrcEni
      description: The ID of the source transit gateway attachment ENI for the flow.
      type: string
    - name: tgwSrcAzId
      description: The ID of the Availability Zone that contains the source transit gateway for which traffic is recorded. If the traffic is from a sublocation, the record displays a '-' symbol for this field.
      type: string
    - name: srcAddr
      description: The source address for incoming traffic, or the IPv4 or IPv6 address of the transit gateway for outgoing traffic on the transit gateway. The IPv4 address of the transit gateway is always its private IPv4 address.
      type: string
      indicators:
        - ip
    - name: srcPort
      description: The source port of the traffic.
      type: bigint
    - name: pktSrcAwsService
      description: 'The name of the subset of IP address ranges for the srcaddr if the source IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EBS | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | ROUTE53_HEALTHCHECKS_PUBLISHING | ROUTE53_RESOLVER | S3 | WORKSPACES_GATEWAYS.'
      type: string
    - name: tgwDstVpcAccountId
      description: The AWS account ID for the destination VPC traffic.
      type: string
      indicators:
        - aws_account_id
    - name: tgwDstVpcId
      description: The ID of the destination VPC for the transit gateway.
      type: string
    - name: tgwDstSubnetId
      description: The ID of the subnet for the transit gateway destination traffic.
      type: string
    - name: tgwDstEni
      description: The ID of the destination transit gateway attachment ENI for the flow.
      type: string
    - name: tgwDstAzId
      description: The ID of the Availability Zone that contains the destination transit gateway for which traffic is recorded.
      type: string
    - name: dstAddr
      description: The destination address for outgoing traffic, or the IPv4 or IPv6 address of the transit gateway for incoming traffic on the transit gateway. The IPv4 address of the transit gateway is always its private IPv4 address.
      type: string
      indicators:
        - ip
    - name: dstPort
      description: The destination port of the traffic.
      type: bigint
    - name: pktDstAwsService
      description: 'The name of the subset of IP address ranges for the dstaddr field, if the destination IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EBS | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | ROUTE53_HEALTHCHECKS_PUBLISHING | ROUTE53_RESOLVER | S3 | WORKSPACES_GATEWAYS.'
      type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated