How do I add new AWS CloudTrail log sources to Panther when the original does not have a prefix?
QUESTION
If I started with a single AWS CloudTrail source which currently is not using a prefix, and now I want to add more, do I need to migrate the original source or create new prefixes for the new sources/"trails"?
ANSWER
There are multiple ways to add a new AWS CloudTrail log source when an existing source added to Panther lacks a prefix.
Options include the following:
- Create a new prefix in AWS, move all the current logs there, and set up the original source in Panther to have a Prefix filter. This will keep everything consistent.
- Leave the logs where they are and set up S3 Prefix Exclusion Filter(s) for the original log source to exclude the prefixes from the logs from other organizations. This allows you to keep the original log source structured the way it is.
- If you'd like to leave the original logs where they are, you can make the other organizations' prefixes two-level deep. If you want to add more organizations in the future, you can avoid needing to add additional prefix exclusion filters. For example:
Bucket/other_orgs/org1_logs/log.json
With the above structure of prefixes, and assuming your current logs are going straight to the bucket, you can exclude logs within the S3 prefixBucket/other_orgs/and not have to update your exclusion filter for each new organization in the original log source.
- If you'd like to leave the original logs where they are, you can make the other organizations' prefixes two-level deep. If you want to add more organizations in the future, you can avoid needing to add additional prefix exclusion filters. For example:
You can also check our relevant article How do I configure an S3 log source in Panther with a prefix exclusion or inclusion? for additional details on how to add prefixes and exclusion filters to your log sources.