AWS VPC Log Monitoring

Integration Overview

AWS VPC (Virtual Private Cloud) is a service provided by Amazon Web Services that allows you to create a private network within the AWS cloud. With AWS VPC, you can create your own virtual network topology, including subnets, routing tables, and network gateways. Panther can collect, normalize, and monitor VPC logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a serverless data lake powered by Snowflake.

Use Cases for VPC Flow & DNS Logs

Panther supports the ingestion of both AWS.VPCDns and AWS.VPCFlow log types. Some common security use cases for these logs include:

  • Monitoring remote logins and flagging administrative activity such as SSH and RDP
  • Detecting suspicious activity such as port scanning, network enumeration attempts, and data exfiltration
  • Examining threat patterns and generating reports of risky behaviors or non-compliant protocols

Onboarding VPC Logs in Panther

Panther supports ingesting VPC logs via an AWS S3 bucket. To pull VPC logs into Panther, simply select AWS VPC from the list of predefined log sources in Panther, and configure an S3 bucket for data transport.

For more detailed steps on onboarding AWS VPC logs or for supported log schema, you can view our AWS VPC documentation here.

Parsing, Normalizing, and Analyzing

As Panther ingests VPC logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows security teams to write detections, detect anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.

Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all log types. Panther’s search tools empower you to investigate your normalized logs for suspicious activity or vulnerabilities. For more on searching log data in Panther, check out our documentation on Investigations & Search.

Detection as Code

With Panther, your team won’t be confined to restrictive detection rules or proprietary languages as seen in most SIEM platforms. Panther is built with detection-as-code principles, allowing you to use Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.

Pre-built detections for VPC logs are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for VPC DNS and Flow Logs here.

Configuring Alerts

Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.

Alerts are categorized within five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the option to dynamically assign severity level based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring VPC logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring and monitoring AWS VPC logs here, or customers can sign up for the Panther Community to share best practices or custom detections for monitoring VPC logs.

The Ideal SIEM for AWS Environments

With Panther, security teams don’t have to pay skyrocketing costs to keep up with cloud data volume, struggle with rigid detection logic, or waste resources on operational overhead. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM solution for VPC Flow and DNS logs, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo