How can I access my own AWS resources from my Python Detections? Can I store secrets in Panther?

Last updated
Save as PDF

QUESTION

Is it possible to do advanced actions in my Python detections, such as making external third-party API calls or accessing information about my AWS account?

ANSWER

To access your own AWS resources from Python Detections, please do the following:

Create a role in your AWS account that has the required permissions to access your resources (e.g. Secret Manager).
Reach out to Panther Support to request access to the detection engine, and let Panther Support know the role ARN of the role you created.
Panther Support will guide you on the next steps for configuring the role.

We can support this workflow by granting special permissions to the detection engine that runs your Python code and allowing you access to resources in your own AWS account. For example, if you wanted to access a third-party API token, you could store this securely in your own AWS account's AWS Secret Manager. In your detection, you could write code that will first retrieve the secret and then use it to make calls to the third-party API. Examples of creating that API call can be found within the Boto3 documentation.

By default, the detection engine will not allow any access to an external AWS account; even if you create the permissions, you would not be able to access your AWS account from your detections until we explicitly grant permission to do so.

For information on creating and storing secrets in AWS Secrets Manager, please reference the AWS documentation: Create an AWS Secrets Manager secret.

Considerations

Panther’s detection engine runs within an AWS Lambda over every single log event as it’s received. To understand this level of scale, if you are processing one million log events in an hour, and if you are making an API call in even half of those detections, it will very quickly exacerbate any API rate limits that may be in place and likely affect detection performance.

Because of this, it’s crucial to implement third-party API calls strategically and deliberately in Panther detections. See the section below for implementation ideas.

Before implementing a detection with an API call, explore Panther’s built-in enrichment providers: GreyNoise, Tor Exit Nodes, IPInfo. These datasets come out-of-the-box with Panther and may already have the extra context you need to leverage.
For large, static datasets, or when you want to enrich log events with context, create a custom Lookup Table instead.
- You can create and upload a Lookup Table using panther_analysis_tool and a GitHub Action, as demonstrated here.
Use filtering logic and caching helpers to store values in dynamoDB and reduce the number of API calls needed.
- See these Examples in our rule caching documentation.
- An end-to-end example can be found here.