Announcing Tracebit’s partnership with Panther

We’re excited to announce Tracebit’s partnership with Panther, a leading cloud-native SIEM that leverages streaming analysis, detection-as-code, and a high performance security data lake to filter security signal from noise, at cloud scale.

Tracebit deploys and maintains tailored security canaries, proactively detecting intrusions across your cloud infrastructure, identity, and endpoints. This partnership enables security teams to detect and respond to cloud attacks detected by Tracebit canaries, with the additional context gained from your existing Panther log sources and Panther’s powerful querying capabilities.

The new Tracebit and Panther integration is coming in Panther version 1.111, and includes these key features:

• Ingestion of Tracebit logs into Panther’s SIEM platform.  
• Ready-to-use data schemas for Tracebit logs.  
• Predefined detections to let you know when Tracebit alerts occur.

‍

Using Tracebit + Panther to Detect Data Exfiltration Attempts

A Tracebit Canary is a cloud resource designed to appear enticing to attackers while blending in with legitimate resources in a customer’s environment. These resources are not accessed during normal business operations, making any interaction highly suspicious and triggering a Tracebit alert.

One example of a Tracebit Canary is an AWS S3 Bucket, specifically designed to detect Data Exfiltration attempts. Let’s walk through an example of how Panther can assist in investigating a Tracebit alert triggered by this Canary.

In this scenario, suspicious activity is detected against a Canary AWS S3 Bucket. Tracebit alerts the security analyst of some intrusion in their environment, and the analyst queries AWS CloudTrail and Okta System Logs in Panther to determine the extent and source of the breach and appropriate next steps.

1. A Tracebit Alert Indicates an Intrusion

A Tracebit alert fires, showing that a principal in AWS has listed objects under several prefixes in a Canary AWS S3 Bucket and ultimately downloaded an object.

The next image shows how the alert looks in the Tracebit portal. You’ll find key information on the actions taken in the Canary S3 Bucket, along with severity levels, user agents, IP addresses, and raw AWS CloudTrail logs:

^{The alert in the Tracebit portal}

2. The Tracebit Alert Triggers in Panther

With the prebuilt Tracebit Alert detection enabled  in Panther, the security analyst receives an alert containing Tracebit context, such as the AWS principal’s ARN, the resources accessed, and actions performed against that resource.

In this case, we can see from the ARN that the principal is a user who authenticated to AWS via Okta.

^{The alert in the Panther portal}

3. Confirming the Unusual Activity in Panther CloudTrail Logs

The alert context shows that the user performed GetObject on a Canary S3 Bucket, which could indicate attempted data exfiltration. This looks suspicious, but to confirm that this behaviour is unusual, the analyst can query AWS Cloudtrail Logs in Panther.

To see this principal’s usual activity in S3, the analyst writes a query in PantherFlow, Panther’s pipelined query language.

The following query searches CloudTrail logs, filtering by the principal’s ARN and events matching GetObject within the last 30 days using three where clauses.

The matching results are then aggregated to show the bucket name, number of requests, and date.

panther_logs.public.aws_cloudtrail
| where userIdentity.arn == "arn:aws:sts::693260565127:assumed-role/Okta-OIDC-Engineer/sue.johnson@acme.com"
| where eventName == "GetObject"
| where eventTime > time.ago(30d)
| summarize requests = agg.count() by time.date_trunc('day', eventTime), requestParameters["bucketName"]

‍

^{The results of the PantherFlow query on AWS CloudTrail logs}

4. Determining Identity Compromise in Panther Okta Logs

The results of the CloudTrail query show a large increase in access to production data in S3 on December 13th. This definitely looks unusual, and it would be useful to know if the user’s Okta identity shows indication of compromise.

To look into this, the analyst queries Okta System Logs in Panther to determine if the user’s MFA was recently reset—a common attack path used by groups such as Scattered Spider.

In this query, the logs are filtered by the username "sue.johnson@acme.com" and events matching user.mfa.factor.deactivate.

panther_logs.public.okta_systemlog
| where target[0].alternateId == "sue.johnson@acme.com"
| where eventType == "user.mfa.factor.deactivate"

‍

^{The results of the PantherFlow query on Okta System logs}

5. Containment and Further Investigation

The results of the Okta query show a reset of all MFA factors in the user sue.johnson@acme.com’s account.

Given the Okta identity indicates compromise and the increase in suspicious activity on the S3 Bucket, the analyst decides to suspend the user’s access to Okta and AWS while the investigation continues.

The combination of Tracebit’s Canary Infrastructure and Panther’s flexible and powerful querying capabilities has allowed for quick detection and containment of a potentially serious incident.

With the incident contained, the analyst proceeds to perform a more detailed investigation, including querying CloudTrail logs directly in Panther to investigate other activities performed by the user around that time.

‍

The value of Tracebit + Panther

This is just one example of canary infrastructure detecting real world TTPs, and how the rich context in Tracebit alerts can aid a full investigation and response when using Panther as your unified view into the security of your cloud workloads, infrastructure, and custom applications.

Our customers are already seeing the value the partnership brings when detecting and responding to incidents. Here's what Brooks from Cresta had to say:

Tracebit alerts in Panther has been a huge time saver. We are able to quickly respond due to the enrichment and correlation possible!

Brooks Beverstock, Security Engineer at Cresta

‍

If you'd like to learn more about how Tracebit can level up your detections - click Book a demo to schedule a call with one of the founders.