QUESTION

Is there a way to periodically send something to Panther to verify that my AWS S3 ingestion pipeline is working, even when there aren't any new events? I have some low-volume log sources that keep triggering health alerts in Panther, and the only way to reduce false alerts is to use a large timeout period.

ANSWER

While we currently don't offer this exact functionality, one partial workaround makes use of a "heartbeat" signal or simple log event sent from your choice of AWS service. S3 log sources can ingest multiple log types, so as long as your log source is configured with a schema for the heartbeat "event", and receives at least one of these heartbeats per day or week, you could set the health requirements accordingly and prevent system errors. Also, if you configure this heartbeat to originate from as far up the pipeline as feasible, then any pipeline issues that do occur would be caught by the health check, except for issues between the original, low-volume log source and its first connection to the pipeline.

Regarding storage, if you use a separate schema with just one tiny event per day, it will accrue roughly 100-200 bytes, which would cost a very small amount, if not negligible. Searches, detections, and dashboard counts are configured per schema/log type, so using a separate log type would avoid interference but still keep the log source healthy.