Skip to main content
Panther Knowledge Base

Why does my Cloud Account display "Real Time Scanning Not Enabled" in Panther?

  1. Last updated
  2. Save as PDF

QUESTION

On the Connected Accounts page in the Panther Console, why does my cloud account have a message that says "Real Time Scanning Not Enabled"?

image.png

ANSWER

The purpose of the "Real Time Scanning Not Enabled" message is to indicate that the cloud account doesn't have Real Time Scanning enabled. Specifically, this means that Panther has failed to receive non-read-only events for the given cloud account at a point in time after the cloud account was configured. There are two methods that Panther can ingest these events, outlined below.

Regardless of the Real Time Scanning status, the cloud account will still get scanned once per day and any enabled Policies will be run. To enable Real Time Scanning, you must have a log source that is configured to monitor the resources for the specific AWS Account ID. Panther supports two ways of doing this:

  1. Onboard a CloudTrail log source (most common)
  2. Configure a CloudFormation stack to leverage CloudWatch events

 

Confirming Method #1: CloudTrail

When you have successfully configured the cloud account for Real Time Scanning, you will have:

  • An entry in the Cloud Accounts and the Log Sources. These will share the same AWS Account ID.
  • CloudTrail events visible in the "Data Processed by Log Type" graph for "AWS.CloudTrail" when viewing the Log Source details.

Once a cloud-scan triggering event is received, Panther will mark the corresponding Cloud Account as "Real Time Scanning Enabled".

  • Note: Any event that is non-read-only will trigger the "Real Time Scanning Enabled" message.
  • Note: The event must be ingested after the Cloud Account is configured. Past events will not be considered when setting the "Real Time Scanning Enabled" message.

Cloud Account entry:

clipboard_e1c534c30460d7c8afcbfc26ac1976d43.png

 

Log source entry:

clipboard_e538a95fbf50c1aafdd7153dc6b773d20.png

 

Log source details:

clipboard_ed5d8f9f83405dc869abf0591b3b40a5a.png

Confirming Method #2: CloudWatch

There is currently no way to view the status of the internal Panther SQS Queue within the Panther Console. If you believe that a non-read-only event has been sent to the queue but the "Real Time Scanning Not Enabled" message persists, you can contact your Panther representative for more information.

See related: What is the PantherCloudFormationStackSetExecutionRole and do I need it when setting up cloud accounts in Panther?