AWS Security Hub is a comprehensive security service that helps you manage and prioritize security findings from multiple AWS services. Panther seamlessly integrates with AWS Security Hub, allowing you to continuously monitor and respond to security findings across your AWS environment, ensuring timely detection of any unusual events. Once findings are ingested into Panther, the normalized data is stored for future security investigations in a Snowflake-powered, serverless data lake.
Use Cases for AWS Security Hub Findings
Panther offers native support for AWS Security Finding Format (ASFF). Common SIEM use cases for these findings include:
- Correlating automated security checks with the rest of your security data
- Monitoring for misconfigured resources across AWS
Onboarding AWS Security Hub in Panther
Panther’s integration for AWS Security Hub is easy to configure, allowing you to onboard your log data in just a few minutes. Amazon Security Hub findings are streamed using an SNS subscription.
For more detailed steps on onboarding AWS Security Hub or for supported schema for findings, you can view our AWS Security Hub documentation here.
Normalizing & Analyzing AWS Security Hub Findings
As Panther ingests findings, they are parsed, normalized, and stored in a Snowflake security data lake. This empowers security teams to craft detections, identify anomalies, and conduct investigations on your data in the context of days, weeks, or months.
Panther’s managed schema will apply normalization fields to your AWS Security Hub findings, which standardize names for attributes and empower users to correlate and investigate data across all log types. For more on searching log data in Panther, check out our documentation on Investigations & Search.
Detection as Code
With Panther, your team won’t be confined to restrictive detection rules or domain-specific query languages as seen in many SIEM platforms. Panther is built with detection-as-code principles, giving you the ability to use Python to write expressive detections, and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.
Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of any Security Hub alerts. Alerts can also be forwarded to alert context or SOAR platforms for more remediation options.
Alerts are categorized in five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring AWS Security Hub in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can check out our documentation on configuring AWS Security Hub here, or customers can sign up for the Panther Community to share best practices or custom detections for AWS Security Hub.
The Ideal SIEM Integration for AWS Security Hub
With Panther, security teams don’t have to struggle with restrictive detection logic, waste time and resources on operational overhead, or pay skyrocketing costs to keep up with the growth of cloud data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution for AWS, request a demo today.