Integration Overview
AWS CloudWatch is a service provided by Amazon Web Services that allows you to monitor your AWS resources and applications in real-time. It provides metrics and logs that can be used to detect and diagnose issues within your environment, as well as to troubleshoot performance issues and optimize resource utilization. Panther can collect, normalize, and monitor CloudWatch logs to help you identify suspicious file-sharing activity in real time. Your normalized data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.
Use Cases for CloudWatch Logs
CloudWatch Event logs describe changes in AWS resources. Some common SIEM use cases for CloudWatch logs include:
- Alerting when a matched event occurs in CloudWatch
- Detecting any changes to security groups or network ACLs
- Defining response workflows for potential security issues
Onboarding CloudWatch Events Logs in Panther
Panther supports ingesting CloudWatch Events logs using a variety of Data Transport options: AWS S3, AWS SQS, or via a direct CloudWatch integration. To pull CloudWatch logs into Panther, simply select AWS CloudWatch Events from the list of predefined log sources in Panther, and choose your preferred data transport method to begin setup.
For more details on onboarding CloudWatch logs or for supported log schema, you can view our CloudWatch documentation here.
Parsing, Normalizing, & Analyzing Logs
As Panther ingests CloudWatch logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to build detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.
Panther applies normalization fields to any log records, which standardizes names for attributes and empowers you to correlate data across all of your log sources. Panther’s search features allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.
Detection as Code
With Panther, you aren’t confined to rigid detections or proprietary languages as seen in many SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.
Configuring Alerts
Panther generates alerts when your detection rules or policies for CloudWatch are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.
Customer Support
If you have any questions about configuring or monitoring CloudWatch logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring and monitoring CloudWatch logs here, or customers can sign up for the Panther Community to share best practices or custom detections for CloudWatch logs.
The Ideal SIEM for CloudWatch
With Panther, your team doesn’t have to waste time and resources on operational overhead, pay excessive costs to keep up with the growth of cloud app data, or struggle with restrictive detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM platform for CloudWatch logs and AWS environments, request a demo today.
