Heroku is a cloud Platform as a Service (PaaS) used by developers to deploy, manage, and scale applications. Panther can collect, normalize, and monitor Heroku logs to maximize visibility over your applications, app infrastructure, and relevant administrative actions. Your normalized data is then retained to power future security investigations in a serverless data lake powered by Snowflake.
Use Cases for Heroku Logs
Panther offers native support for Heroku Runtime logs, which aggregate four categories of log events: App, System, API, and Add-on logs. These logs provide essential information, including the actor, timestamp, and details of a performed action. Common security use cases for these log types include:
- Monitoring for unauthorized access to sensitive information or unusual login behavior
- Tracking changes made to important documents or databases to ensure accuracy and accountability
- Investigating incidents or issues that arise within a workspace or database for effective resolution
Onboarding Heroku Logs in Panther
Heroku Runtime logs are simple to onboard in Panther by streaming them directly via an HTTP source (webhook). To set up a Heroku Log data stream in Panther, you’ll first create a new HTTP Source within the Panther console, and then create a Heroku log drain to connect the stream.
For more detailed steps on onboarding Heroku Logs or for supported log schema, you can view our Heroku documentation here.
Normalizing & Analyzing Heroku Logs
As Panther ingests Heroku Logs, they are parsed, normalized, and stored in a Snowflake security data lake. This empowers security teams to craft detections, identify anomalies, and conduct investigations on logs in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate and investigate data across all log types. For more on searching log data in Panther, check out our documentation on Investigations & Search.
Detection as Code
With Panther, your team won’t be confined to restrictive detection logic or proprietary query languages as seen in many SIEM platforms. Panther is built with detection-as-code principles, giving you the ability to write Python to define detections and to integrate external systems like version control and CI/CD pipelines into your detection engineering workflows. This results in powerful, flexible, and reusable scripting of detections for your security team.
Panther fires alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of any Heroku alerts. Alerts can also be forwarded to alert context or SOAR platforms for more remediation options.
Alerts are categorized into five severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring Heroku logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring and monitoring Heroku Logs here, or customers can sign up for the Panther Community to share best practices or custom detections for monitoring Heroku.
The Ideal SIEM for Heroku Logs
With Panther, you won’t have to struggle with restrictive detection logic, waste time and resources on operational overhead, or pay skyrocketing costs as you scale up data ingestion. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built an intuitive platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, flexible, and scalable SIEM integration for Heroku, request a demo today.