Can I create multiple Panther log sources from one S3 bucket?

QUESTION

Is it possible to split an S3 bucket into multiple Log Sources? We currently have multiple types of data in one S3 bucket; we filter them using prefixes. For example, pf1/ is a common prefix for all data belonging to one group, and pf2/ is a prefix for another. 

ANSWER

Yes!

You can onboard multiple log sources out of the same bucket. To ensure the two log sources aren’t picking up the same data, you’ll want to set up mutually exclusive S3 prefixes. In an S3 bucket with folders pf1/ and pf2/ inside. The log source with pf2/ listed in its S3 prefix will only ingest logs in that folder or deeper down that path in the bucket through that log source.

If you are looking to use a shared SNS topic for multiple S3 log sources, please check out this kb article.