AWS VPC

Connecting AWS VPC logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Virtual Private Cloud (VPC) logs via AWS S3.

For information on ingesting VPC DNS logs, see the VPC DNS logging section below.

How to onboard AWS VPC logs to Panther

To pull VPC logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS VPC.

  5. Select AWS S3 bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for Data Transport.

VPC DNS logging

With additional configuration in AWS, you can also use this integration to monitor DNS queries. Malicious actors can use DNS for data theft, C2, DNS tunneling, cache poisoning, DNS hijacking, and more. Logging the queries made and responses received by devices in your network can be valuable in proactive alerting and investigations.

The instructions below explain how to log queries from your AWS services within VPCs to an S3 bucket. The query logging configuration happens within Route 53 and applies to the VPCs within your specified region. A configuration is required per region, but can be applied to multiple VPCs of that region.

Step 1: Configure query logging in Route 53

  1. Log in to your AWS account.

  2. Navigate to the Route 53 service within the region you plan to log.

  3. On the lefthand side, under Resolver, click Query Logging.

    • You should be redirected to a “Query logging configurations” page. If not, try clicking “Query Logging” link again.

  4. In the upper right corner, click Configure Query Logging.

  5. On the next page, fill in the Query Logging configuration form:

    • Name: Enter a descriptive name.

    • Destination for query logs: Select S3 bucket.

    • Amazon S3 Bucket: Select the S3 bucket where you want to configure query logging.

  6. At the bottom of the page, click Configure query logging.

    • Within a few minutes, you should start receiving logs within your S3 bucket at s3://BucketName/BucketPrefix/AWSLogs/ACCOUNTID/vpcdnsquerylogs/VPCName/Year/Month/Day

Step 2: Onboard log source

After onboarding the source with the AWS.VPCDns log type, VPCDNS logs will be ingested into Panther.

Example DNS Event

{"version":"1.100000","account_id":"0123456789012","region":"us-west-2","vpc_id":"vpc-c26c48ba","query_timestamp":"2022-10-07T21:39:49Z","query_name":"ec2messages.us-west-2.amazonaws.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"52.94.176.105","Type":"A","Class":"IN"}],"srcaddr":"172.31.46.187","srcport":"52635","transport":"UDP","srcids":{"instance":"i-09d9aa4e31675db61"}}

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Querying logs in Data Explorer

See example SQL queries, for use in Panther's Data Explorer, in VPC logs queries.

Supported AWS VPC log types

Panther supports AWS.VPCDns and AWS.VPCFlow.

AWS.VPCDns

DNS query logs represent the queries that VPC DNS resolvers forward to Route 53. For more information, see AWS's documentation on Resolver query log format.

schema: AWS.VPCDns
parser:
  native:
    name: AWS.VPCDns
description: DNS query logs represent the queries that VPC DNS resolvers forward to Route 53.
referenceURL: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs-format.html
fields:
  - name: version
    required: true
    description: The version number of the query log format. If we add fields to the log or change the format of existing fields, we'll increment this value.
    type: string
  - name: account_id
    required: true
    description: The ID of the AWS account that created the VPC.
    type: string
    indicators:
      - aws_account_id
  - name: region
    required: true
    description: The AWS Region that you created the VPC in.
    type: string
  - name: vpc_id
    required: true
    description: The ID of the VPC that the query originated in.
    type: string
  - name: query_timestamp
    required: true
    description: The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC)
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: query_name
    required: true
    description: The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.
    type: string
  - name: query_type
    required: true
    description: Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports.
    type: string
  - name: query_class
    required: true
    description: The class of the query.
    type: string
  - name: rcode
    required: true
    description: The DNS response code that Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is NOERROR, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see DNS RCODEs on the IANA website.
    type: string
  - name: answers
    required: true
    description: Answers to the query
    type: array
    element:
      type: object
      fields:
        - name: Rdata
          required: true
          description: The value that Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record.
          type: string
        - name: Type
          required: true
          description: The DNS record type (such as A, MX, or CNAME) of the value that Resolver is returning in response to the query.
          type: string
        - name: Class
          required: true
          description: The class of the Resolver response to the query.
          type: string
  - name: srcaddr
    required: true
    description: The IP address of the instance that the query originated from.
    type: string
    indicators:
      - ip
  - name: srcport
    required: true
    description: The port on the instance that the query originated from.
    type: string
  - name: transport
    required: true
    description: The protocol used to submit the DNS query.
    type: string
  - name: srcids
    required: true
    description: The list of IDs of the sources the DNS query originated from or passed through.
    type: object
    fields:
      - name: instance
        description: The ID of the instance that the query originated from.
        type: string
        indicators:
          - aws_instance_id
      - name: resolver-endpoint
        description: The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers.
        type: string
  - name: firewall_rule_group_id
    description: The ID of the DNS Firewall rule group that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
    type: string
  - name: firewall_rule_action
    description: The action specified by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
    type: string
  - name: firewall_domain_list_id
    description: The domain list used by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
    type: string

AWS.VPCFlow

VPC Flow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2.

Note that for Panther to properly ingest VPC NetFlow logs, they must come directly from S3, in CSV format with a header.

For more information, see AWS's documentation providing flow log record examples.

schema: AWS.VPCFlow
parser:
  native:
    name: AWS.VPCFlow
description: VPCFlow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2.
referenceURL: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html
fields:
  - name: version
    description: The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.
    type: bigint
  - name: account
    description: The AWS account ID for the flow log.
    type: string
    indicators:
      - aws_account_id
  - name: interfaceId
    description: The ID of the network interface for which the traffic is recorded.
    type: string
  - name: srcAddr
    description: The source address for incoming traffic, or the IPv4 or IPv6 address of the network interface for outgoing traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address.
    type: string
    indicators:
      - ip
  - name: dstAddr
    description: The destination address for outgoing traffic, or the IPv4 or IPv6 address of the network interface for incoming traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address.
    type: string
    indicators:
      - ip
  - name: srcPort
    description: The source port of the traffic.
    type: bigint
  - name: dstPort
    description: The destination port of the traffic.
    type: bigint
  - name: protocol
    description: The IANA protocol number of the traffic.
    type: bigint
  - name: packets
    description: The number of packets transferred during the flow.
    type: bigint
  - name: bytes
    description: The number of bytes transferred during the flow.
    type: bigint
  - name: start
    required: true
    description: The time of the start of the flow (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: end
    required: true
    description: The time of the end of the flow (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: action
    description: 'The action that is associated with the traffic. ACCEPT: The recorded traffic was permitted by the security groups or network ACLs. REJECT: The recorded traffic was not permitted by the security groups or network ACLs.'
    type: string
  - name: status
    required: true
    description: 'The logging status of the flow log. OK: Data is logging normally to the chosen destinations. NODATA: There was no network traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.'
    type: string
  - name: vpcId
    description: The ID of the VPC that contains the network interface for which the traffic is recorded.
    type: string
  - name: subNetId
    description: The ID of the subnet that contains the network interface for which the traffic is recorded.
    type: string
  - name: instanceId
    description: The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. Returns a '-' symbol for a requester-managed network interface; for example, the network interface for a NAT gateway.
    type: string
    indicators:
      - aws_instance_id
  - name: tcpFlags
    description: "The bitmask value for the following TCP flags: SYN: 2, SYN-ACK: 18, FIN: 1, RST: 4. ACK is reported only when it's accompanied with SYN. TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN."
    type: bigint
  - name: trafficType
    description: 'The type of traffic: IPv4, IPv6, or EFA.'
    type: string
  - name: pktSrcAddr
    description: The packet-level (original) source IP address of the traffic. Use this field with the srcaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running.
    type: string
    indicators:
      - ip
  - name: pktDstAddr
    description: The packet-level (original) destination IP address for the traffic. Use this field with the dstaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the final destination IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running.
    type: string
    indicators:
      - ip
  - name: pktSrcAwsService
    description: 'The name of the subset of IP address ranges for the pkt-srcaddr field, if the source IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | S3 | WORKSPACES_GATEWAYS.'
    type: string
  - name: pktDstAwsService
    description: The name of the subset of IP address ranges for the pkt-dstaddr field, if the destination IP address is for an AWS service. For a list of possible values, see the pkt-src-aws-service field.
    type: string
  - name: flowDirection
    description: 'The direction of the flow with respect to the interface where traffic is captured. The possible values are: ingress | egress.'
    type: string
  - name: trafficPath
    description: The path that egress traffic takes to the destination. To determine whether the traffic is egress traffic, check the flow-direction field. The possible values are as follows. If none of the values apply, the field is set to -. If the network interface is attached to an instance based on the Nitro System, the possible values include 7 and 8 but not 2. With instances not based on the Nitro System (for example, T2 and M4), the possible values include 2 but not 7 or 8. 1 — Through another resource in the same VPC, 2 — Through an internet gateway or a gateway VPC endpoint, 3 — Through a virtual private gateway, 4 — Through an intra-region VPC peering connection, 5 — Through an inter-region VPC peering connection, 6 — Through a local gateway, 7 — Through a gateway VPC endpoint, 8 — Through an internet gateway
    type: smallint
  - name: region
    description: The Region that contains the network interface for which traffic is recorded.
    type: string
  - name: azId
    description: The ID of the Availability Zone that contains the network interface for which traffic is recorded. If the traffic is from a sublocation, the record displays a '-' symbol for this field.
    type: string
  - name: sublocationType
    description: "The type of sublocation that's returned in the sublocation-id field. The possible values are: wavelength | outpost | localzone. If the traffic is not from a sublocation, the record displays a '-' symbol for this field."
    type: string
  - name: sublocationId
    description: The ID of the sublocation that contains the network interface for which traffic is recorded. If the traffic is not from a sublocation, the record displays a '-' symbol for this field.
    type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated