Panther's Historical Search allows for freely searching collected and normalized log data using SQL via AWS Athena.
This is helpful for investigations, baselining behaviors, writing rules, and advanced analytics on log events that operate on the context of days, weeks, or months of data.
Panther performs initial data normalization and processing to store the log data in a standard and efficient way in S3.
Additionally, any other application that can read data from S3 can also access this data either for search, business intelligence, redundancy, or anything else.
The following databases are available to search from:
All data sent via Log Analysis, organized by log type
Events for all triggered alerts, organized by log type
Events for all errors from rules (e.g., Python tracebacks)
Standardized fields across all logs and rule matches
By navigating to the AWS Athena console, you can find a set of Panther pre-built tables under the database dropdown:
Expanding these tables will show their fields (hover your mouse over a field to see the description). You can use the in-browser query editor to run SQL like commands against the data:
Data can now be queried to answer common questions:
All log data is stored in AWS Glue tables. This makes the data available in many tools such as Athena, Redshift, Glue Spark Jobs and SageMaker.
Panther Historical Search is still in it's early phases! For upcoming releases, we have planned:
Cross integration with Panther Cloud Security findings and more!