Panther AI (Beta)

Overview

Panther AI is in open beta starting with Panther version 1.112, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther AI encompasses a set of generative AI features aimed at accelerating your detection and response workflows. It operates with the persona of a security engineer and has access to many of the same tools available to human users of Panther.

Panther AI can quickly assess data, such as alerts and logs, to rapidly deliver insights. You can run predefined workflows or ask your own questions to Panther AI—it will leverage its available tools (such as querying the data lake) to answer them, generally much faster than a human analyst would be able to.

Panther AI uses Claude AI models by Anthropic through Amazon Bedrock. Panther AI does not use your data for AI training—learn more about data security below.

Use of Panther AI features is subject to the AI disclaimer found on the Legal page.

Where to use Panther AI

Use Panther AI in the Panther Console when:

  • Analyzing alerts:

  • Summarizing Search results:

  • Asking general questions:

    The Panther AI Overview dashboard entry point is in closed beta starting with Panther version 1.113. Please share any bug reports and feature requests with your Panther support team.

    • Overview dashboard: Ask Panther AI anything—in the Overview dashboard entry point, there is no context-dependent data being analyzed (like an alert or log events in the above entry points), which means it's a good place to ask general security questions.

On the right side is a slide-out panel titled "ALB Web Scanning Analysis." Below, there are various sections, like Summary, Key Findings, and Security Implications.

When using Panther AI triage and summarization as well as running your own prompts, you may want to view previous responses or rename, pin, save, or delete certain interactions. Learn how to perform these actions in Managing Panther AI Response History.

There are also AI GraphQL API operations available to Cloud Connected customers and SaaS customers with "pass-through billing"—view them in the GraphQL API schema.

Separate from Panther AI, Panther also offers an MCP server.

Enabling Panther AI

To use Panther AI features, your Panther instance's Enable Panther AI setting must be set to ON and your user role must have the Run Panther AI permission. If you have a Cloud Connected Panther instance, you must also enable certain AI models in AWS.

To enable Panther AI:

  1. In the upper-right corner of your Panther Console, click the gear icon (Settings) > General.

  2. On the Panther AI tab, click the Enable Panther AI toggle to ON.

    • The Enable Panther AI setting is set to OFF by default, and can only be updated by a user with the Edit Settings & SAML Preferences permission.

    • Once Enable Panther AI is set to ON, the Run Panther AI permission will be:

  3. If you have a Cloud Connected Panther instance, follow the instructions on the AWS Add or remove access to Amazon Bedrock foundation models documentation to request access to the following foundation models in the region your Panther instance is deployed in:

    • Claude 4.0 Sonnet v1 (anthropic.claude-sonnet-4-20250514-v1:0)

    • Claude 3.7 Sonnet v1 (anthropic.claude-3-7-sonnet-20250219-v1:0)

    • Claude 3.5 Sonnet v1 (anthropic.claude-3-5-sonnet-20240620-v1:0)

    • Claude 3.5 Sonnet v2 (anthropic.claude-3-5-sonnet-20241022-v2:0)

    • Claude 3.5 Haiku v1 (anthropic.claude-3-5-haiku-20241022-v1:0)

How Panther AI uses your data

Panther AI does not use your data for AI training. Your prompts and Panther AI responses are stored in your dedicated, single-tenant AWS account (like your logs).

You can enable Panther-managed detections for Amazon Bedrock to monitor its activity. If you are a Cloud Connected customer, you can also set up Amazon Bedrock Guardrails for extra protection.

AI permissions and scope

Panther AI assumes the role and associated permissions of the user running it—i.e., the user logged into the Console where AI operations are being run, or the user executing AI-related API calls.

This means Panther AI will not perform read or write operations the current user could not perform themselves. This includes log type access restrictions, if set for that user role.

AI prompt settings

AI prompt settings are in open beta starting with Panther version 1.113, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use AI prompt settings to tailor AI-generated content in Panther to your preferences. AI settings are universally applied to all AI entry points in Panther, but are specific to each Panther user.

To set your AI prompt settings:

  1. Navigate to one of the AI prompt bars in the Panther Console:

  2. On the right side of the prompt bar, click the Edit prompt settings icon: .

  3. Click Save Settings.

Response length

The response length setting determines the size of the AI output and the amount time Panther AI spends "thinking." The shorter the response length setting value, the less closely Panther AI considers the details of the input, and the faster the model runs.

The response length AI setting has three possible values:

  • Short: Runs quickly and produces a brief summary.

  • Medium: Elaborates more than Short, but is usually shorter than five paragraphs.

  • Long: Allows Panther AI to conduct an intricate analysis, and can produce very long and detailed outputs.

Under an "Edit prompt settings" title is a bar with a dot in the middle. On either end are "Short" an Long" labels.

Citations

When Panther AI aids in triaging or summarizing your data, it will return links to relevant data so you can verify its findings. Citations may include alerts, detections, and/or data queries.

Under a "Panther AI" header at the top, there is text starting with "I'll help you triage this alert." Below, text is circled in two places: one starting with Alert and the other starting with Rule.

Tools

Panther AI has access to has access to many of the same tools available to human users of Panther. When running tools (either in the Console or programmatically), Panther AI has the same permissions set as the current user. In general, Panther AI decides when to use a certain tool based on the task you give it. When entering your own prompt, you can direct it to use certain tools, if desired.

Alert management

  • alertListTool: List recent alerts, with filtering options

  • alertTool: Get detailed alert information, including comments and associated events

  • commentTool: Add comments to alerts

  • resolveAlertTool: Resolve alerts with status updates

Data search and analysis

  • logSearchTool: Find specific log records by attribute/value pairs

  • logSketchTool: Generate activity histograms across time periods

  • columnSummaryTool: Analyze distribution of attribute values

  • sqlTool: Execute custom SQL queries for complex analysis

Detection management

  • detectionListTool: List available detections

  • detectionTool: Get detection metadata and code

  • detectionWriterTool: Create new detections

Schemas and metadata

  • logTypesTool: List available log types

  • logTypeSchemaTool: Get column details for specific log types

Query (Saved Search) management

  • listSavedQueriesTool: List queries (Saved Searches)

  • savedQueryWriterTool: Created a Saved Search in SQL reuse

  • queryResultsTool : Retrieve query results

Enrichment and context

  • enrichmentTool: Look up entity information (IPs, users, etc.)

  • userListTool: List Panther users

  • userTool: Get details about a user

AI responses

  • aiResponseTool: Access AI response history

Last updated

Was this helpful?