QUESTION

On the Connected Accounts page in the Panther Console, why does my cloud account have a message that says "Real Time Scanning Not Enabled"?

image.png

ANSWER

The purpose of the "Real Time Scanning Not Enabled" message is to indicate that the cloud account doesn't have Real Time Scanning enabled. Specifically, this means that Panther has failed to receive non-read-only events for the given cloud account at a point in time after the cloud account was configured. There are two methods that Panther can ingest these events, outlined below.

Regardless of the Real Time Scanning status, the cloud account will still get scanned once per day and any enabled Policies will be run. To enable Real Time Scanning, you must have a log source that is configured to monitor the resources for the specific AWS Account ID. Panther supports two ways of doing this:

  1. Onboard a CloudTrail log source (most common)

  2. Configure a CloudFormation stack to leverage CloudWatch events

Confirming Method #1: CloudTrail

When you have successfully configured the cloud account for Real Time Scanning, you will have:

Once a cloud-scan triggering event is received, Panther will mark the corresponding Cloud Account as "Real Time Scanning Enabled".

Cloud Account entry:

clipboard_e1c534c30460d7c8afcbfc26ac1976d43.png

Log source entry:

clipboard_e538a95fbf50c1aafdd7153dc6b773d20.png

Log source details:

clipboard_ed5d8f9f83405dc869abf0591b3b40a5a.png
Confirming Method #2: CloudWatch

There is currently no way to view the status of the internal Panther SQS Queue within the Panther Console. If you believe that a non-read-only event has been sent to the queue but the "Real Time Scanning Not Enabled" message persists, you can contact your Panther representative for more information.

See related: 📄 What is the PantherCloudFormationStackSetExecutionRole and do I need it when setting up cloud accounts in Panther?