Amazon Security Lake is a centralized repository for security data from AWS environments, SaaS providers, on-premises, and cloud sources. All security data in your data lake is normalized according to the Open Cybersecurity Schema Framework (OCSF). Panther can collect, normalize, and monitor events from your security lake to help you identify suspicious activity in real-time. Your normalized data is retained for future security investigations in a data lake powered by Snowflake.
Panther supports ingesting all OSCF event classes. Common SIEM use cases for this OSCF data include:
Panther’s integration for Amazon Security Lake is straightforward to set up. Simply configure a new subscriber to your Security Lake with SQS and S3 and provide the details in Panther’s log source creation wizard. Once configured, Panther will automatically and continuously ingest logs from the S3 bucket, enabling you to onboard your Security Lake data in just a few minutes.
For more details on onboarding Security Lake logs or for supported log schema, view our Amazon Security Lake documentation.
As Panther ingests events, they are parsed, normalized, and stored in a Snowflake security data lake. This empowers security teams to craft detections, identify anomalies, and conduct investigations on your data in the context of days, weeks, or months.
Panther’s managed schema will apply normalization fields to your Security Lake events, standardizing attribute names and empowering users to correlate and investigate data across all log types. For more on searching log data in Panther, check out our documentation on Investigations & Search.
With Panther, your team won’t be confined to restrictive detection rules as seen in many SIEM platforms. Panther is built with detection-as-code principles, allowing users to use Python to write expressive detections and integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team. In addition, you can create correlation rules to link multiple events together, like IDP logs and Security Lake logs, for highly targeted alerts.
Panther fires alerts when your detection rules or policies are triggered and integrates with a variety of alert destinations to allow for easy access and management of any Security Lake alerts. Alerts can also be forwarded to alert context or SOAR platforms for more remediation options.
Alerts are categorized into five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the option to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring Amazon Security Lake with Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can check out our documentation on configuring Amazon Security Lake, or customers can sign up for the Panther Community to share best practices or custom detections for Amazon Security Lake.
With Panther, security teams don’t have to struggle with restrictive detection logic, waste time and resources on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges firsthand and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution, request a demo today.
Monitor any resource changes within your AWS environment.
Correlate AWS Security Hub findings.
Protect your cloud security controls.
Identify any suspicious activity within your AWS infrastructure.
Analyze CDN traffic for signs of unusual behavior.
Monitor the IP traffic going to and from network interfaces in your VPC.
Monitor the configuration of your AWS resources.
Monitor and detect any suspicious database events.
