Panther AI

Overview

Panther AI includes a set of generative AI features designed to accelerate your detection and response workflows. It operates with the persona of a security engineer and has access to many of the same tools available to human users of Panther.

Panther AI can quickly assess data, such as alerts and logs, to rapidly deliver insights. You can run predefined workflows or ask your own questions to Panther AI—it will leverage its available tools (such as querying the data lake) to answer them, generally much faster than a human analyst would be able to.

Panther AI uses Claude AI models by Anthropic through Amazon Bedrock. Panther AI does not use your data for AI training—learn more about data security below.

When using Panther AI, you may want to view previous responses or rename, pin, save, or delete certain interactions. Learn how to perform these actions in Managing Panther AI Response History.

Using Panther AI agents in the Console

Find Panther AI in the Panther Console in the following locations:

• Panther AI

  • In the left-hand navigation bar, click Panther AI. Ask Panther AI anything—there is no context-dependent data being analyzed (like alerts or log events at the above entry points), so it's a good place to ask general security questions. Here, you'll see suggested and favorite prompts.

    
• Panther AI alert triage

  • AI alert triage: Gather information about and analyze an alert. You can run AI alert triage on demand, or enable auto-run, which runs AI alert triage on new alerts automatically.

  • Alert list AI triage: Triage multiple alerts in your alerts list at once.

  • When you triage one or more alerts, you will see a Risk Classification score.

• Panther AI search

  • Use AI to generate PantherFlow queries with natural language.

  • Search results AI summary: Summarize a set of result events.

• Panther AI Detection Builder

  • AI Detection Builder: Create and modify rules and scheduled rules with AI assistance directly in the rule editor. The AI Detection Builder can generate detection code, add test cases, and explain detection logic.

  • In a follow-up prompt to a Search results AI summary, you can direct Panther AI to, "Write a Panther detection for this activity."

  • In a follow-up prompt to an AI alert triage, you can ask Panther AI, "How should I tune the detection this alert was triggered by?"

  • On Detection detail pages, in the Overview tab, review the AI-generated summary.

    
• Panther AI schema builder

  • Infer schemas from sample logs

There are also AI GraphQL API operations available to Cloud Connected customers and SaaS customers with pass-through billing—view them in the GraphQL API schema.

In addition to Panther AI, Panther offers an MCP server.

Enabling Panther AI

To use Panther AI features, your Panther instance's Enable Panther AI setting must be set to ON and your user role must have the Run Panther AI and Read Settings & SAML Preferences permissions.

To enable Panther AI:

1. In the upper-right corner of your Panther Console, click the gear icon (Settings) > Panther AI.

2. On the Configuration tab, click the Enable Panther AI toggle to ON.

   • The Enable Panther AI setting is set to OFF by default, and can only be updated by a user with the Edit Settings & SAML Preferences permission. See System Configuration to learn more about Panther AI settings.

   • Once Enable Panther AI is set to ON, the Run Panther AI permission will be:

     • Granted automatically to the default Admin role.

     • Available to assign to additional roles. Learn how to update a role's permissions here. (A user must additionally have the Read Settings & SAML Preferences permission to use Panther AI.)

       

How Panther AI uses your data

Panther AI does not use your data for AI training. Your prompts and Panther AI responses are stored in your dedicated, single-tenant AWS account (like your logs).

You can enable Panther-managed detections for Amazon Bedrock to monitor its activity. If you are a Cloud Connected customer, you can also set up Amazon Bedrock Guardrails for extra protection.

AI permissions and scope

Panther AI assumes the role and associated permissions of the user running it—i.e., the user logged into the Console where AI operations are being run, or the user executing AI-related API calls.

This means Panther AI will not perform read or write operations the current user could not perform themselves. This includes log type access restrictions, if set for that user role.

Tool approval for write operations

Panther AI includes a human-in-the-loop approval system for tools that perform write operations. Before Panther AI can execute actions that modify your data, you must explicitly approve or deny the operation. This gives you full control over what changes Panther AI makes in your environment.

Tools requiring approval

The following tools require explicit user approval before execution:

Additionally, the panther_ai_utilities_fetch_web tool requires approval when accessing domains not on the approved domains list, if the Require Approval for Non-Approved Domains setting is enabled. Approved domains do not require approval. See Web Access for configuration details.

How tool approval works

When Panther AI attempts to use a tool that requires approval, Panther AI pauses and displays the proposed action, including the tool name and the parameters it intends to use.

Review the details of the proposed operation, then click Accept or Reject. If you reject the operation, you can optionally provide a reason for denial. If no decision is made within two minutes, the operation times out and is not executed.

Audit logging

All tool approval decisions are recorded in Panther audit logs, including:

• Whether the tool was approved or denied

• The rejection reason (if denied)

• The tool name and parameters

• The user who made the decision

• Timestamp of the decision

This provides a complete audit trail of all write operations performed by Panther AI.

Panther AI settings

Panther AI configurations are made in two places: on the Panther AI settings page, and in the AI prompt bar itself.

Panther AI settings page

The Panther AI settings page has settings for enabling Panther AI, auto-running AI alert triage, and configuring web access for Panther AI.

To access your Panther AI settings, click the gear icon in the upper right corner of your Panther Console, then select Panther AI. Learn more about these settings on System Configuration.

AI prompt settings

Use AI prompt settings to tailor AI-generated content in Panther to your preferences. AI settings are universally applied to all AI entry points in Panther, but are specific to each Panther user.

To set your AI prompt settings:

1. Navigate to one of the AI prompt bars in the Panther Console.

2. On the right side of the prompt bar, click the Edit prompt settings icon: .

3. Set the reasoning level setting.

4. Click Save Settings.

Reasoning level

The reasoning level setting controls reasoning depth, model selection, and tool invocation limits—not just output length. The setting determines how thoroughly Panther AI analyzes the input and the sophistication of its analysis approach.

The reasoning level AI setting has three possible values:

• Basic: runs quickly and produces a brief summary

• Standard: recommended for initial alert triage

• Advanced: allows Panther AI to investigate deeply and produce detailed analysis outputs

Suggested and favorite prompts

When opening Panther AI from the left-hand navigation menu, under Suggested questions to get started, you'll see some randomly generated suggested prompts. Click a suggestion to execute it.

You can customize this list by favoriting a prompt:

1. Execute a prompt (in any of the Panther AI entry points).

2. To the right of the prompt text, click the star.

   

   • The prompt will be added to your list of favorite prompts, which appears under Suggested questions to get started, to the left of suggested prompts.

Favorites are specific to you, and are not shared with any other users. To remove a favorite, in the upper-right corner of the prompt tile, click X.

Citations

When Panther AI aids in triaging or summarizing your data, it will return links to relevant data so you can verify its findings. Citations may include alerts, detections, and/or data queries.

Amazon Bedrock service quotas

If you are leveraging Panther AI often (e.g., you are using auto-run AI alert triage), you may hit Amazon Bedrock service quotas. When this happens, Panther AI may not run as expected, or you may see an error in its output.

To remedy this:

• If you are a Cloud Connected customer, follow this Amazon documentation to request an increase for Amazon Bedrock quotas.

• If you are a SaaS customer with pass-through billing, reach out to Support.

Tools

Panther AI has access to many of the same tools available to human users of Panther. When running tools (either in the Console or programmatically), Panther AI has the same permissions set as the current user. In general, Panther AI decides when to use a specific tool based on the task you give it. When entering your own prompt, you can direct it to use certain tools, if desired.

See which tools require human approval before execution above.

Alert management

• panther_ai_alerts_add_comment: Add comments to alerts

• panther_ai_alerts_list: List recent alerts, with filtering options

• panther_ai_alerts_get: Get detailed alert information, including comments and associated events

• panther_ai_alerts_assign: Assign alerts to users

• panther_ai_alerts_bulk_update: Update multiple alerts at once

• panther_ai_alerts_list_context_tags: List all available context tags for categorizing alerts

• panther_ai_alerts_update: Update the status of alerts, quality assessment, or context tags

Data search and analysis

• panther_ai_datalake_summarize_column: Analyze distribution of attribute values

• panther_ai_datalake_search_logs: Find specific log records by attribute/value pairs

• panther_ai_datalake_execute_sql: Execute custom SQL queries for complex analysis

• panther_ai_datalake_activity_histogram: Get time-bucketed histograms of activity across log sources

• panther_ai_utilities_pantherflow_query: Submit a PantherFlow query for validation and display

• panther_ai_utilities_pantherflow_query_skill: Get PantherFlow query language reference and generation instructions

Detection management

• panther_ai_detections_list: List available detections

• panther_ai_detections_get: Get detection metadata and code

• panther_ai_detections_write: Create new detections

• panther_ai_detections_author: Test and validate detection code against sample events

• panther_ai_detections_writer_skill: Get specific instructions before writing a Panther detection

Log sources, schemas, and metadata

• panther_ai_log_sources_get_sample_data: Retrieve sample log events from a session for schema inference and testing

• panther_ai_log_sources_list: List onboarded log sources, with health status

• panther_ai_log_types_get_schema: Get column details for specific log types

• panther_ai_log_types_list: List available log types

• panther_ai_log_types_test_schema: Validate a schema against sample data, returning match/unmatch statistics and error messages

• panther_ai_log_types_writer_skill: Get instructions about schema structure, field types, and best practices before creating schemas

• panther_ai_log_types_guidance_skill: Get instructions for analyzing events based on log type

• panther_ai_utilities_classification_error_fixer_skill: Get instructions for diagnosing and fixing log classification errors

Query (Saved Search) management

• panther_ai_datalake_list_saved_queries: List queries (Saved Searches)

• panther_ai_datalake_get_query_results: Retrieve query results

• panther_ai_datalake_write_saved_query: Create a Saved Search for SQL reuse

Enrichment and context

• panther_ai_enrichments_lookup: Look up entity information (IPs, users, etc.)

• panther_ai_users_list: List Panther users

• panther_ai_users_get: Get details about a user

• panther_ai_roles_list: List Panther roles and their permissions

• panther_ai_roles_get: Get details about a specific role, including permissions and log type access

• panther_ai_utilities_calculate_risk_score: Calculate a normalized risk score from benign and risky security indicators

Utilities

• panther_ai_utilities_fetch_web: Fetch content from a web page given a URL. Access is restricted to approved domains configured in Panther AI settings. For non-approved domains, user approval may be required depending on settings. Supports text pages, images (PNG, JPEG, GIF, WebP), and PDF documents.

• panther_ai_utilities_panther_docs_skill: Get instructions for navigating Panther documentation at docs.panther.com

AI responses and citations

• panther_ai_memory_get_response: Access AI response history

• panther_ai_memory_search_responses: Search the AI response history database for relevant historical context

• panther_ai_citations_list: List citations accumulated during the current conversation