runZero data can be imported into your Panther instance for enhanced logging and alerting.
- A Panther account with the required permissions,
- An AWS S3 bucket, and
- Exported .jsonl files from runZero that have been uploaded into your AWS S3 bucket.
Step 1: Adding a custom schema
- Go to Configure > Schemas and select Create New.
- Add a name.
- Upload a sample log to automatically parse the runZero output schema.
Step 2: Adding a custom log source
- Go to Configure > Log Sources and select Create New.
- Complete the Basic Information section.
- Opt to configure S3 prefixes and schemas now and select the custom schema you created.
- Configure the IAM role:
- Opt to configure Using the AWS Console UI.
- Click Launch Console UI.
- Review the stack in AWS, then check the box to approve, and click to deploy the stack.
- When the deployment completes, navigate to the Resources tab and select the LogProcessingRole that was created.
- Copy the ARN from that role into the field on the Panther console.
- Configure an alarm if logs are not processed (optional).
Once completed, any .jsonl files added to the specified AWS S3 bucket will be automatically ingested and processed by Panther.