After Panther has loaded and processed log data via Log Processing, you are able to freely search it using SQL via AWS Athena. This is useful for investigations, baselining behaviors, and advanced analytics on log events that take operate on the context of days, weeks, or months of data.
Panther performs initial data normalization and processing to store the log data in a standard and efficient way in S3. Additionally, any other application that can read data from S3 can also access this data either for search, business intelligence, redundancy, or anything else.
By navigating to the AWS Athena console, you can find a set of Panther pre-built tables under the database dropdown.
Expanding these tables will show their fields (hover your mouse over a field to see the description), and you can use the in browser query editor to run SQL like commands against the data.
If this is your first time using Athena, you will be prompted to setup a bucket to store your search results in.
After that, data can be queried to answer common questions:
All log data is stored in AWS Glue tables. This makes the data available in many tools such as Athena, Redshift, Glue Spark Jobs and SageMaker.
Panther Historical Search is still very much in it's early phases! In development for this tool we have planned:
More log types
Even more search optimization
Cross integration with Panther Compliance findings