AWS ALB Log Monitoring

Integration Overview

The AWS Application Load Balancer (ALB) is used to automatically distribute your application traffic across multiple targets, including EC2 instances, containers, and IP addresses. Panther can collect, normalize, and monitor AWS ALB logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a serverless data lake powered by Snowflake.

Use Cases for AWS ALB Access Logs

Access logs for AWS Application Load Balancer capture detailed information about requests sent to your load balancer. Each log contains details for the time the request was received, the client's IP address, request paths, latencies, and server responses. Common security use cases for ALB access logs include monitoring for:

  • IdP authentication failures or errors
  • Failed requests to a Lambda function
  • Errors encountered when forwarding requests to AWS WAF

Onboarding Application Load Balancer Logs in Panther

Panther’s integration for AWS ALB is easy and fast to configure by using AWS S3 as a data transport. Simply select AWS ALB from the list of pre-defined log sources in Panther, select AWS S3 Bucket as your data transport method, and configure your S3 bucket to stream AWS ALB logs.

For more detailed steps on onboarding AWS ALB logs or for supported log schema, you can view our AWS ALB documentation here.

Parsing, Normalizing, and Analyzing

As Panther ingests AWS ALB audit logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows security teams to craft detections, identify anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.

Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all log sources. Panther’s search tools - Data Explorer, Indicator Search, and Query Builder - allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more on searching log data in Panther, check out our documentation on Investigations & Search.

Detection as Code

With Panther, your team won’t be confined to rigid detection rules as seen in most legacy SIEM platforms. Panther is built with detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.

A number of pre-built detections for AWS ALB are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for AWS ALB logs here.

Configuring Alerts

Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of any AWS ALB alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.

Alerts are grouped in five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring ALB access logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring and monitoring AWS ALB logs here, or customers can sign up for the Panther Community to share best practices or custom detections for monitoring your Application Load Balancer.

The Ideal SIEM for AWS ALB

With Panther, security teams don’t have to struggle with restrictive detection logic, waste time and resources on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud app data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution for AWS ALB, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo