AWS Logs

Overview

Panther supports log ingestion from the following Amazon Web Services (AWS) services:

AWS ALB

AWS Aurora

AWS CloudTrail

AWS CloudWatch

AWS Config

AWS EKS

AWS GuardDuty

AWS Security Hub (Beta)

Amazon Security Lake (Beta)

AWS S3

AWS Transit Gateway

AWS VPC

AWS WAF

Beyond these natively supported AWS log sources, Panther also supports log ingestion from any other services via our AWS data transports: S3 Source, SQS Source, and CloudWatch Logs Source.

In addition to log monitoring, we recommend using Panther's Cloud Security Scanning to detect misconfigurations in your AWS environment.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Querying logs in Data Explorer

See example SQL queries, for use in Panther's Data Explorer, on the following pages:

• CloudTrail logs queries

• GuardDuty logs queries

• S3 Access logs queries

• VPC Flow logs queries

Cloud Security Scanning for AWS resources

Beyond monitoring your AWS logs, we recommend onboarding your AWS environment as a Cloud Account for Cloud Security Scanning. Cloud Security Scanning checks your cloud resources against policies you've defined to identify and alert you to vulnerabilities in your AWS environment. Panther also comes with several built-in policies based on common cloud infrastructure misconfigurations.

To learn more about how to set up Cloud Security Scanning for AWS, see Onboarding the Cloud Account in Panther.