Panther's log analysis applies normalization fields (IPs, domains, etc) to all log records. These fields provide standard names for attributes across all data sources enabling fast and easy data correlation.
For example, each data source has a time that an event occurred, but each data source will likely not name the attribute the same, nor is it guaranteed that the associated time has a timezone consistent with other data sources.
The Panther attribute
p_event_time is mapped to each data source's corresponding event time and normalized to UTC. This way you can query over multiple data sources joining and ordering by
p_event_time to properly align and correlate the data despite the disparate schemas of each data source.
The fields below are appended to all log records:
The type of log.
Unique id (UUID) for the row.
The associated event time for the log type is copied here and normalized to UTC.
The current time when the event was parsed normalized to UTC.
The Panther generated internal id for the source integration.
The user supplied label for the source integration (may change if edited).
p_source_label fields are very useful for knowing where the data originated. For example, you might have multiple CloudTrail sources registered with Panther, each with a unique name (e.g., "Dev Accounts", "Producttion Accounts", "HR Accounts", etc.). These fields allow you to easily separate data based on the source which can be very useful to use in Panther rules as well as business intelligence (BI) reporting.
A common security question is often of the form of: “was some-indicator ever observed in our logs?”
Notice that the relationship of the indicator is not a concern initially, simply the presence or absence of activity is of interest.
To allow this question to be answered over all data sources the "any" fields below are appended to rows of data as appropriate.
all_logs view is provided over all data sources to make queries easy for users to find activity for an indicator in a single query.
Id of alert related to row.
Time of alert creation related to row.
Time of last alert update related to row.
List of aws account ids related to row.
List of aws arns related to row.
List of aws instance ids related to row.
List of aws tags related to row as "key:value" pairs.
List of domain names related to row.
List of ip addresses (v4 or v6 in string form) related to row.
List of MD5 hashes related to row.
List of SHA1 hashes related to row.
List of SHA256 hashes related to row.
List of user defined rule reporting tags related to row.
List of user defined rule tags related to row.
Panther manages a view over all data sources with standard fields.
This allows you to ask questions such as "was there any activity from some-bad-ip and if so where?".
The query below will show how many records (by log type) are associated with IP address
SELECTp_log_type, count(1) AS row_countFROM panther_views.all_logsWHERE year=2020 AND month=1 AND day=31 AND contains(p_any_ip_addresses, '18.104.22.168')GROUP BY p_log_type
From these results, you can pivot to the specific logs where activity is indicated.
The Panther standard fields can be used in rules. For example, this rule triggers when any GuardDuty alert is on a resource tagged as 'critical':