I want to enable Panther's real-time cloud scanning capabilities, but I'm concerned that the feature might increase my monthly ingest amount, leading to increased cost. Will I see increased data ingest by using this function?
Panther's real-time CSPM functionality doesn't directly increase data ingestion, but depending on how you enable it, may require an additional log source.
In order to enable real-time scanning, you need to set up a data stream to inform Panther of events occurring in your account. Most commonly, this is accomplished via onboarding Cloudtrail logs to your instance, which will be included towards your monthly ingestion quota. However, most customers who are interested in real-time scanning are already ingesting Cloudtrail logs, and in those cases, enabling real-time scanning as an addition to Cloudtrail ingestion doesn't change the overall cost.
If you are not ingesting Cloudtrail, but wish to enable real-time scanning without incurring additional ingestion costs, you can use Cloudwatch Events instead of Cloudtrail to configure Panther's cloud scanning. Details and instructions on this method can be found in our Cloudwatch Event Cloud Scanning documentation.