Panther

runZero data can be imported into your Panther instance for enhanced logging and alerting.

Requirements

  • A Panther account with the required permissions,
  • An AWS S3 bucket, and
  • Exported .jsonl files from runZero that have been uploaded into your AWS S3 bucket.

Step 1: Adding a custom schema

  1. Go to Configure > Schemas and select Create New.
  2. Add a name.
  3. Upload a sample log to automatically parse the runZero output schema.

Step 2: Adding a custom log source

  1. Go to Configure > Log Sources and select Create New.
  2. Complete the Basic Information section.
  3. Opt to configure S3 prefixes and schemas now and select the custom schema you created.
  4. Configure the IAM role:
    • Opt to configure Using the AWS Console UI.
    • Click Launch Console UI.
    • Review the stack in AWS, then check the box to approve, and click to deploy the stack.
    • When the deployment completes, navigate to the Resources tab and select the LogProcessingRole that was created.
    • Copy the ARN from that role into the field on the Panther console.
  5. Configure an alarm if logs are not processed (optional).

Once completed, any .jsonl files added to the specified AWS S3 bucket will be automatically ingested and processed by Panther.