AWS Transit Gateway (also referred to as TGW) is a service provided by Amazon Web Services that enables you to connect multiple VPCs and on-premises networks together using a central hub. AWS Transit Gateway Flow Logs capture information about the IP traffic flowing through your transit gateway. Panther can collect, normalize, and monitor these logs to help you identify any suspicious activity in real time. Your normalized data is then retained to enable future security investigations in a serverless data lake powered by Snowflake.
Use Cases for Transit Gateway Flow Logs
AWS Transit Gateway Flow Logs can capture information about source and destination IP addresses, ports, protocols, and packets and bytes transferred for each flow. Some common security use cases for Transit Gateway logs include:
- Monitoring traffic between VPCs and on-premises networks to detect unauthorized access attempts or suspicious activity
- Analyzing traffic patterns and trends to optimize resource utilization and identify potential security threats
- Identifying and troubleshooting issues with network connectivity or routing
Onboarding Transit Gateway Logs in Panther
To pull Transit Gateway logs into Panther, you need to set up an S3 bucket in the Panther Console to stream data from your AWS account. Simply select AWS Transit Gateway Flow from the list of predefined log sources in Panther, and configure an S3 bucket for data transport.
For more detailed steps on onboarding Transit Gateway Flow Logs or for supported log schema, you can view our AWS Transit Gateway documentation here.
Parsing, Normalizing, and Analyzing
As Panther ingests TGW Flow Logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows security teams to write detections, detect anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and enables the correlation of data across all logs. Panther’s search tools empower you to investigate your normalized logs for suspicious activity or vulnerabilities. For more on searching log data in Panther, check out our documentation on Investigations & Search.
Detection as Code
With Panther, your team won’t be confined to restrictive detection rules or proprietary coding languages as seen in many SIEM tools. Panther is built with detection-as-code principles, allowing you to use Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.
Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of any Transit Gateway alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are grouped within five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the option to dynamically assign severity level based on specific log event attributes.
If you have any questions about configuring or monitoring Transit Gateway Flow Logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring and monitoring AWS Transit Gateway logs here, or customers can sign up for the Panther Community to share best practices or custom detections.
The Ideal SIEM for AWS Environments
With Panther, security teams don’t have to pay skyrocketing costs to keep up with cloud data volume, struggle with restrictive detection logic, or waste time and resources on operational overhead. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution for AWS environments, request a demo today.