Panther's Log Analysis is used to parse, normalize, and analyze high volumes of log data in real-time. In order to onboard into this pipeline, data must send to an S3 bucket. Data can also be organized using S3 folders or multiple buckets.
Common events analyzed with log analysis include:
Authorization or authentication
Alerts from IDS
Logs are written into an S3 bucket
The bucket sends an event notification to Panther's SNS Topic
Panther receives the event notification, assumes an IAM Role, and downloads the log data
The parsed log data is forwarded for analysis