Data Sources
Use the search bar above or navigate the categories below to find articles about Data Sources.
For setup instructions, check out the Panther documentation on Data Sources.
- Cloud Accounts
- After I delete a cloud account in Panther, how long does it take for those resources to be removed from the Cloud Resources page?
- Can I disable real-time scanning for my Panther cloud security integration?
- Cloud Security logs have incorrect label and id values in Panther
- Does Panther's Real-Time Cloud Security Scanning incur additional ingest costs?
- Does Panther support Cloud Security Scanning for platforms other than AWS?
- Does Panther support WAFv2 resources for cloud security scanning?
- For Self-hosted accounts, can I remove panther-account from my Cloud Accounts?
- How can I query all my distinct EC2 instances or EKS clusters in Panther?
- How do I list all my connected cloud resources in Panther?
- How do I onboard multiple AWS accounts all at once as Cloud Accounts in Panther?
- How to downgrade or turn off alerts for a specific AWS account within Panther
- My cloud resources have not updated in Panther
- Relationship between the TimeCreated attribute of the AWS.EC2.Instance resource type in Panther and the LaunchTime attribute AWS
- What are the compliance.history and resource.history log types in my data in Panther?
- What is the PantherCloudFormationStackSetExecutionRole and do I need it when setting up cloud accounts in Panther?
- Why does my Cloud Account display "Real Time Scanning Not Enabled" in Panther?
- Why did my Cloud Accounts turn unhealthy?
- Why do I see a blank information page for a cloud resource in Panther?
- Custom Logs
- Can a Panther schema accept both strings and arrays in the same field?
- Can I delete or rename a schema in Panther?
- Can I reduce my ingested bytes quota by removing or masking the fields that I do not need in Panther?
- Can I set Panther to ignore duplicate events from my log source?
- Can I specify multiple accepted data types for a log schema field in Panther?
- Can I use multiple Panther indicators for a single field in a schema?
- Can I use multiple timestamp formats in one schema in Panther?
- Can I use Panther's fastmatch in a custom schema for timestamps with spaces?
- Can I use the native parameter in a custom schema in Panther?
- Can Panther authenticate a Stripe-Signature using the HMAC auth method?
- Can Panther ingest AWS Session Manager (SSM) logs?
- Can Panther parse logs in ORC format from Apache Hive?
- Can you use a wildcard to recursively exclude files when inferring schemas from S3 folders in the Panther Console?
- Classification error "wrong number of fields" in Panther Console while ingesting logs as CSV data
- Classification Error 'readEscapedChar' when parsing logs in Panther
- Does field discovery automatically add the new fields to my schema YAML file in Panther?
- Does Panther have native support for Google Workspace Admin Alerts?
- Does Panther natively support Cloudflare Security Insight alerts?
- Does Panther offer any way to split 1 incoming event into several separate events?
- Does Panther support .tar file type for raw upload data?
- Does Panther support asciinema logs?
- Does Panther support country normalization with ISO 639-1 codes?
- Does Panther support logs in parquet format?
- Does Panther support parsing nanoseconds for timestamps in custom logs?
- Does Panther support the %-S code from the strftime format for a custom Microsoft schema?
- Do I need to include the "fieldDiscoveryEnabled: true" flag in my YAML file to use this feature in Panther?
- Do log source filters in Panther combine using the OR operation, or AND?
- Error: "Query timeout after scanning x B from x S3 objects (Total Listed: x)" when trying to infer a custom schema from the S3 data receiver in Panther
- Error: 'InvalidLogSchema: Field Discovery can only be enabled with JSON or CSV data with header' when updating or creating a schema in Panther
- Error 'Source xx did not pass configuration check' when trying to create a new Azure Blob Storage log source in Panther
- Error 'unexpected format: "%N" found in 10 byte' when running pantherlog parse
- Guide to 1.100 change to schema inference
- How can I ingest CrowdStrike logs into Panther without a subscription to CrowdStrike FDR?
- How can I ingest log events into Panther if they contain duplicate field names?
- How can I ingest Parquet files from S3 into Panther?
- How can I onboard Snowflake audit logs from other Snowflake accounts into Panther?
- How can I prevent specific raw event fields from being ingested into Panther?
- How can I write multiple pantherlog tests for a schema?
- How does the "validate" attribute work in Panther custom schemas?
- How do I change a Custom Schema field type in Panther?
- How do I download a newer version of pantherlog?
- How do I exclude a schema test from a group of tests with Pantherlog?
- How do I infer sample Cloudwatch Log Events and or JSON Array Events in Panther?
- How do I resolve a "DecodeTime: failed to parse" error for a custom schema in Panther?
- How do I resolve pantherlog errors when I try to run multiple schema tests?
- How do I resolve the Panther tool error "cannot be opened because the developer cannot be verified"?
- How do I resolve the error "schema validation failed: failed to infer Glue columns" in Panther?
- How is the field p_event_time populated in my custom schema in Panther?
- How long does it take for a table to be reflected in the Data Lake after schema creation in Panther?
- How Panther manages multiple schema matching?
- How to add an unsupported log source to Panther and request for new log sources
- How to fix "invalid number: NaN/Inf" in schema parsing?
- How to resolve "EventTime: DecodeTime" parsing error when testing schemas with pantherlog
- How to resolve "Failed to infer schema... error found in byte" when inferring schema in Panther
- How to resolve “Failed to infer schema: Must validate one and only schema (oneOf); Does not match pattern” when inferring schema in Panther?
- Invalid memory address or nil pointer dereference error in Pantherlog
- Is it possible to extract a nested field while ingesting logs to Panther?
- Is there a maximum size limit on data that Panther ingests?
- Pantherlog test fails with CSV input
- Panther schemas: does the "required" flag propagate to subfields as well?
- Schema field name not allowed to contain special character, except in Panther-managed schema
- System error in Panther: invalid stream, log entry is not JSON object
- Troubleshooting CLI errors with "pantherlog parse"
- Using the split transformation to ingest fields into Panther with a single or multiple values
- What's the distinction between the shared secret and bearer approaches for Panther HTTP log sources?
- What happens when an event is unclassified in Panther? Does this result in the loss of classified events too?
- What happens when Panther ingests a required data field whose value is null?
- What is the native parser in Panther-provided schemas?
- When adding or removing fields from a custom schema in Panther, what happens to the corresponding columns in the data lake?
- Why am I getting Bad Gateway Error when making a schema in Panther?
- Why are all my incoming logs only matching 1 schema?
- Why can’t I find logs in the data lake after ingesting data using a custom schema in Panther?
- Why do I see "schema update is not backwards compatible" when updating a schema in Panther?
- Will logs received by log sources in Panther without attached schemas be discarded?
- Will my cloned custom schema be affected when Panther updates the original managed schema?
- Data Transports
- "Failed to update source" error when adding IAM role to my Panther SQS log source
- AWS Kinesis: Firehose Delivery Streams combines data into one line to S3. How can Panther ingest the logs?
- Can I archive a log source in Panther?
- Can I backfill log data into a Panther log source?
- Can I combine multiple Panther log source filters with and/or logic?
- Can I configure AWS managed Kafka to send data to Panther?
- Can I configure Panther's log source alarm to ignore weekend days?
- Can I create multiple Panther log sources from one S3 bucket?
- Can I delete log objects from my source S3 bucket after Panther ingests them?
- Can I ingest GitHub audit logs in the same S3 bucket as other logs?
- Can I ingest logs from multiple paths in a GCS bucket into Panther?
- Can I move S3 objects without re-ingesting into Panther?
- Can I partition buckets by their log stream name with a Cloud Watch log source in Panther?
- Can I rename my SNS topic from panther-notifications-topic to something different?
- Can I send logs to Panther through a webhook?
- Can I use raw event filtering to reduce Panther ingestion costs?
- Can I view the volume of log data ingested into Panther (over a time period)?
- Can Panther ingest compressed data?
- Can Panther ingest logs via email attachment?
- Can Panther ingest Sublime Security logs?
- Choosing the best method to ingest GitHub audit logs into Panther
- Does inferring a custom schema from HTTP data modify the existing schema of an active log source?
- Does Panther add logs from my S3 bucket that existed before I started using Panther?
- Does Panther have an inclusion filter during raw data ingestion?
- Field Last Data Ingested updated in my Panther log source but no data available in Search
- How can I change the waiting period for my Panther Log Source drop-off alarm?
- How can I find the log source of an SQS queue in Panther
- How can I get Panther to ingest old data from an S3 bucket?
- How can I ingest GuardDuty findings via CloudWatch instead of S3 or SQS in Panther?
- How can I share an S3 bucket from other SIEMs with Panther?
- How come no data is coming in for a new S3 log source in Panther?
- How does the current Panther payload size limit work?
- How do I configure an S3 log source in Panther with a prefix exclusion or inclusion?
- How do I get copies of logs from Panther S3 buckets into my own AWS account S3 buckets?
- How do I get my events on separate lines when using AWS Event Bridge with S3 and Panther?
- How do I measure the latency of data ingestion into Panther?
- How do I resolve "AccessDenied" key errors when ingesting logs to Panther via S3?
- How do I resolve "Cannot have overlapping suffixes in two rules if the prefixes are overlapping for the same event type" when setting up an S3 source for Panther?
- How do I resolve the error "failure to download encrypted files from S3" while ingesting CloudTrail logs in Panther?
- How do I set up a Panther SQS data transport that connects to EventBridge?
- How many prefix filters can I add to an S3 log source?
- How to ingest Zapier logs into Panther
- How to modify the time Panther waits before sending log source health alarms
- How to reduce log source health alerts for low-volume log sources
- How to solve "Source experienced errors recently while trying to access S3 objects" for Panther Log Source
- Is the policy for the SQS panther-aws-events-queue and panther-input-data-notifications-queue open to all SNS topics?
- Missing data when ingesting data into the webhook HTTP endpoint in Panther
- No data flow or errors after creating IAM role manually for S3 source in Panther
- Panther Log Source error: "Bucket notifications are not properly configured"
- SNS topic not working for an SQS source created in the Panther Console
- Updating the S3 bucket name and IAM role in my Panther log source
- What IP does Google see when Panther pulls logs from a GCS bucket?
- What is the ARN of my Panther SQS queue log source?
- What is the default retention period of the panther-input-data-notifications-queue?
- When an S3 log file is overwritten, does Panther ingest the new version?
- Why am I failing to get caller identity on Panther's s3sns tool?
- Why am I not receiving data after my AWS S3 bucket log source has been successfully connected to my Panther Console?
- Why are S3 objects are being overwritten while Panther’s log processing is reading them?
- Why don't I see the Role ARN in the Outputs tab on CloudFormation when onboarding my S3 bucket to Panther?
- Why do I get an error when trying to ingest zst compressed files in Panther?
- Why do I get the error "failed to read line: s3manager download failed: NoSuchKey: The specified key does not exist" on my S3 log source in Panther?
- Why is my HTTP log source receiving a "s3manager download failed" error?
- Why is my SNS topic stuck in a "pending confirmation" state for the SQS confirmation for Panther?
- Supported Logs
- Access token authentication error while onboarding Crowdstrike Event Streams log source in Panther
- After fixing an unhealthy log source, why do I still get an error banner in the Panther Console?
- Are Microsoft Purview Data Loss Prevention logs supported in Panther?
- Are my Salesforce log events batched and sent to Panther at a specific time?
- Can I backfill the logs of a new log source into Panther?
- Can I exclude logs or specific fields from ingestion into Panther?
- Can I exclude the OversizedChangeNotification when ingesting AWS Config logs into Panther?
- Can I get notified in Panther when my log source stops receiving logs from any system attached to that source?
- Can I integrate with Google BigQuery API to query Gmail logs from Panther?
- Can I pause ingestion of a log source in Panther?
- Can I send only events that trigger alerts to Panther?
- Can I use the field discovery and infer schema features when configuring an AWS CloudWatch Logs source?
- Can I view log source integration API tokens in plaintext in Panther?
- Can I view more details of a log source without having to click the Edit button?
- Can Panther be used to ingest and monitor relational database audit logs, including the tracking of newly-added rows to database tables?
- Can Panther filter sensitive fields such as passwords out of incoming logs?
- Can Panther ingest GCP Security Command Center logs?
- Can Panther ingest GCP VPC Flow logs?
- Can Panther ingest Monday.com Audit log API logs?
- Can Panther perform deduplication on incoming log events?
- Does my log source overview in the Panther Console report raw ingested log volume or uncompressed?
- Does Panther's "Events Over Time by Log Type" graph include events that have been filtered out?
- Does Panther's Google Workspace integration ingest Chrome logs?
- Does Panther allow logs to be overwritten or does it append only?
- Does Panther backfill log sources after temporary connection issues?
- Does Panther have a native integration for 1Password auditevents logs?
- Does Panther have out-of-the-box support for ingesting Google Alerts?
- Does Panther ingest updates to Azure Monitor files in Blob Storage?
- Does Panther natively support ingesting CircleCI Audit logs?
- Does Panther offer native support for Signal Sciences logs?
- Does Panther support ingesting CrowdStrike EventStream logs?
- Does Panther support ingesting events from CyberHaven?
- Does Panther support ingesting Gmail logs?
- Does Panther support ingesting mail logs?
- Does Panther support Microsoft Teams as a log source?
- Does Panther support importing alerts produced by CarbonBlack within Panther as log events?
- Does Panther support native Syslog ingestion?
- Does Panther support Nessus Pro self-hosted on the Tenable native integration?
- Does Panther support OIDC authentication to Google Workspace?
- Does Zoom's deprecation of the JWT app type affect Panther’s log ingestion?
- Error: 403 access denied from Crowdstrike log source
- Error "event exceeds maximum size: event at offset 1 is larger than xx Bytes" on Panther AWS Config History log source
- Error "event exceeds maximum size: event at offset 1 is larger than xx Bytes" on Panther CloudTrail log source
- Error "http status: 403 Forbidden code: UnknownError" when setting up Microsoft Graph API source in Panther
- Error "OrganizationDomain invalid, failed to satisfy the condition: tinesDomain" when trying to set up a Tines log source in Panther
- Error 'failed to parse integer: strconv.Atoi parsing ...' when processing AWS S3 Server Access logs in Panther
- Error 'Source Microsoft365 did not pass configuration check because: error acquiring token: FromClientSecret()' when creating a Microsoft log source in Panther
- Google Workspace log source unable to access GSuite API in Panther
- How are IP addresses normalized and stored in Panther?
- How can I adapt my custom Panther CrowdStrike detections and queries to work with the Crowdstrike.FDREvent log type?
- How can I capture repo.add_topic events in GitHub Audit Logs with Panther?
- How can I check which Google Workspace application types I’m receiving in Panther?
- How can I exclude logs from my Panther GCP integration?
- How can I identify recently deleted log sources in the "Ingestion By Log Source" graph in the Panther Dashboard?
- How can I ingest AWS EKS logs to only one log source in Panther?
- How can I ingest FleetDM logs into Panther?
- How can I prevent internal traffic logs from AWS VPC Flow from being ingested into Panther?
- How can I restrict Panther user access to log types?
- How can I see who edited/deleted a log source in Panther?
- How can I set up multiple CloudTrail log sources in Panther?
- How do I add new AWS CloudTrail log sources to Panther when the original does not have a prefix?
- How do I ingest IP addresses from GitHub Audit Logs into Panther?
- How do I resolve "Netskope API response error (403) invalid token" when onboarding NetSkope logs to Panther?
- How do I resolve "Organization not found" when ingesting GitHub audit logs in Panther?
- How do I resolve "Source Snyk did not pass configuration check" when onboarding Snyk logs to Panther?
- How do I resolve a "401 unauthorized" error when onboarding Atlassian logs to Panther?
- How do I resolve a “Source encountered errors while processing logs” alert after setting up GitHub log source in Panther?
- How do I resolve the CloudTrail error "Source has recently encountered errors while processing logs" in Panther?
- How do I resolve the error "did not pass configuration check" when onboarding Salesforce logs to Panther?
- How do I resolve the error "Field validation failed on the 'required' tag" in Panther?
- How do I resolve the Zendesk log error 403 "You do not have access to this page" in Panther?
- How often does Panther pull logs from log sources?
- How often does Panther query the Atlasian API for getting Jira Audit logs?
- How often does Panther try to log in to my Salesforce integration if the password is not valid?
- How to Fix "Invalid Redirect" for Panther's Zoom Integration
- How to make separate Snowflake tables for my Panther log sources that use the same Panther-managed log type and schema
- How to resolve "Error while checking Cloud Pub/Sub subscription existence" for my GCP logs in Panther
- How to resolve "invalid header" error when trying to ingest AWS VPC flow logs through Cloudwatch in Panther
- How to resolve error 'Source Netskope… 403 - Forbidden. Legacy Rest API v2 is deprecated' when using Panther's Netskope log source integration
- If I already ingest logs through the GitHub API into Panther, do I need to apply the GitHub webhook schema?
- If I delete a log source in Panther, is its data deleted?
- How do I see who created a log source in Panther?
- Is it possible to detect if someone has edited the contents of a Google doc using Panther?
- Is log ingestion case sensitive in Panther?
- Is SystemLog the only Okta log that Panther pulls for Okta integrations?
- Is there any way to reduce AWS Cloudtrail latency in Panther?
- Is there a way to integrate CloudTrail logs in Panther without using event notifications?
- Is the TLS verification parameter necessary for ingesting Fluentd logs into Panther?
- Is unfiltered raw data stored when applying Filters in Panther?
- I want to ingest a specific field from my log event. Can I do that in Panther?
- Panther latency ingesting audit logs from Snyk
- The Okta nested field "logOnlySecurityData" is not succesfully parsed in Panther
- Troubleshooting log ingestion issues in Panther
- What happens when the connection is lost during the log ingestion of Panther's native log sources?
- What inclusion filter should I use in my GCS logging sink to only push Panther-supported GCP logs to Panther?
- What is the difference between the Panther log types GSuite.Reports and GSuite.ActivityEvent?
- What to do when a Panther log source works fine but says "Permission checks for source have failed"
- When a log source is deleted, does Panther capture the source ID in it's audit logs?
- When changing the domain name of Salesforce, do I need to change the log source in Panther?
- When trying to onboard a new Okta log source in Panther I get an Okta API permission error
- Why am I receiving a 403 forbidden error on my HMAC authenticated CrowdStrike Falcon alerts?
- Why are 1Password ItemUsage logs missing in Panther?
- Why are certain Heroku logs failing to be parsed in Panther?
- Why are certain ItemUsage 1Password Events not showing up in Panther?
- Why are my Google Workspace alerts not ingested by Panther?
- Why did my Zendesk log source in Panther stop receiving logs?
- Why does my GuardDuty log source in say it cannot access a log file in Panther?
- Why does my recently parsed event have an old p_event_time in Panther?
- Why does Panther display the CloudTrail username as "HIDDEN_DUE_TO_SECURITY_REASONS"?
- Why do I experience delays in parsing Google Workspace events within my Panther Console?
- Why do I get the error "failed to read line: gzip decompression failed: flate: corrupt input before offset" on my Lacework log source within Panther?
- Why do I see "no bot scopes requested" when onboarding Slack audit logs to Panther?
- Why do I see "Slack healthcheck failed - failed response: Slack API error (200) missing_argument" when creating a Slack source in Panther?
- Why do I see a "log not CSV" error when trying to test sample data against the AWS.ALB schema in the Panther Console?
- Why do I see a “ratelimited” error while onboarding Slack logs to Panther?
- Why do I see classification failures for Github Audit logs when I am using a Panther-provided schema?
- Why do I see Cloudflare logs dropping and the alert "Source [CloudFlare-YourLogSource] has not received events for more than 1 hour" in Panther?
- Why do I see high latency on my MongoDB Atlas log source in Panther?
- Why do I see high latency on some of my log types in Panther?
- Why do Panther API requests keeps blocking me from resetting my Salesforce security token?
- Why haven't I received Salesforce Logs in Panther for the past 24 hours?
- Why is my Tines Audit Log Source still waiting to receive data well after initial creation?
- Why is Panther not ingesting Microsoft 365 logs despite having no apparent errors?
- Why is the percentage of processed data so small in the log source Overview tab in Panther?
- Will there be a gap in the logs if permissions fail in a native Panther log source?
- Zoom integration error in Panther: status 400, no permission, next page token expired