Glossary

A brief and human-readable event that correlated to a programmed alarm rule to provide information about data breaches, exploits, or malicious behaviors.
The event triggered by Panther after the criteria on your rule, policy, or query is met. See Triaging Alerts for more information.

A designated location where a security alert is sent after being created.
Your selected services(s) where Panther alerts are sent, such as Jira, Slack, or PagerDuty. See Destinations for more information.

A connection between computers or applications, which defines a specific set of rules for how they communicate and interact with one another.
The Panther GraphQL API is used for alert, role, and user management, and data lake querying.

Python functions that control analysis logic, generated alert title, event grouping, routing of alerts, and metadata overrides for Panther's Detections. These functions are applicable to both Rules and Policies.

Panther features may go through a closed beta, open beta, or both before becoming generally available. Features in beta phases will be identified as such in release notes and on their documentation pages.

Closed Beta: In this phase, a feature is enabled for a sub-set of customers for testing and feedback. Closed beta features may be enabled for additional customers if they request access.
Open Beta: In this phase, a feature is enabled for all customers but is still undergoing development. Feedback and bug reports are greatly appreciated during this period.

Continuous integration means work is constantly merged back into a central location, and generally includes automated testing for safety purposes. Continuous deployment or delivery means work is constantly deployed into production.
See Panther's CI/CD Onboarding Guide for information on managing detections with a CI/CD workflow.

A term for tools that you interact with from a command line, shell, virtual terminal, or similar interface.
In Panther’s context, CLI refers to tools like panther_analysis_tool and pantherlog, which are distributed by Panther and executed by customers locally on their own machines.

Cloud-native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.

Source: CNCF​

In Panther context, an AWS account that you connect with Panther to use with Cloud Security Scanning. Accessible from the Cloud Accounts section of the Panther Console.

In Panther context, a Cloud Resource is an entity within your AWS account, such as an EC2 instance, S3 bucket, and IAM User. Cloud Resources are associated with an AWS account that you connected with Panther. Accessible from the Cloud Resources section of the Panther Console.

A time-based scheduler that executes one or more commands at specific dates and times.
In Panther's context, a Cron Expression is used to set a defined interval while running Scheduled Rules or Scheduled Queries.

Also known as web callbacks; a lightweight API that enables one system to forward data to another system when a specific event occurs.
Panther’s custom webhook alert destination allows you to deliver alerts to selected third-party platforms that accept webhooks.

​Data Explorer is a Panther tool where you can view your normalized data, select rule matches, perform SQL queries, search standard fields across data, load or schedule queries, and download sharable results in a CSV file.

In Panther, deduplication refers to the process of grouping suspicious events together into a single alert to prevent receiving duplicate alerts for the same behavior that may have multiple indicators. Any event that triggers a detection is grouped together with other events that triggered the same detection and subsequent deduplication string within the designated deduplication period. This is controlled by two aspects:

The deduplication string returned by the dedup function
The deduplication period configured on a detection

Detection-as-Code is a modern, flexible, and structured approach to writing security detections that applies software engineering best practices like version control systems (VCS) to manage detections, requires testing and manual reviews for detection changes, automatically enforces these testing and standards (CI), and automatically deploys these changes (CD).

Panther’s Detection Packs logically group detections as well as enable detection updates via the Panther Console. Panther-provided packs are defined in this open-source repository: panther-labs/panther-analysis.

A cybersecurity solution that continuously monitors endpoint data and triggers rule-based automated responses.

Panther’s Enrichment features add important context to your detections and alerts for faster investigation workflows, enhanced detections, and reduced alert noise. Panther offers the following enrichment features: Lookup Tables and a GreyNoise integration.

A “helper” function performs one part of the computation of a larger function or program. This allows you to re-use logic defined in one place multiple times, in addition to logically separating code for better comprehension and testing.
In Panther, Global Helpers contain python code that can be used in other types of Panther detections (such as policies, rules, and data models). These Global Helpers serve as a library of common programming patterns that you can extend and use in any of the detections you write.

A company that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise
Panther's GreyNoise integration allows you to reduce false-positive alerts by identifying opportunistic attacks allowed into your perimeter and emerging threats based on GreyNoise context data and tagging.

Data collected that is likely to indicate a security breach or threat.

Panther’s Indicator Search queries all of your normalized log data to find related activity based on common IOCs such as usernames, emails, IPs, and more to tell the full story during an incident.

Log normalization parses and normalizes your uploaded logs for IOC (indicator of compromise) fields like domains and IPs to support efficient and effective analysis, searches, and correlations across all log types.

Panther’s Lookup Tables allow you to add important context to your detections and alerts by enriching the events they process and contain. They help you save time by enhancing detections, reducing alert noise, and speeding up investigations for improved investigation workflows.

A cybersecurity service that continuously monitors all security data and thus allows for robust detection, monitoring, and response to limit malicious threats and breaches.

A public Github repository of all detections developed by Panther including rules, policies, and scheduled rules.

Also known as panther_analysis_tool; an open-source utility for testing, packaging, and deploying Panther detections from source code. PAT’s intent is to enable CI/CD workflows for customers.

Panther’s web application. Customers can log in at [customer-URL].runpanther.net.

Non-Panther Console workflows you can use to interact with your Panther account, including CI/CD, API, Panther Log Tool, and the Panther Analysis Tool (PAT).

A detection that has been written and is continuously maintained by Panther.

Panther's Policies are Python functions that scan and evaluate cloud infrastructure configurations to identify misconfigurations and subsequently generate alerts. Policies specifically apply to cloud resources, whereas Rules apply to security logs.

In JSON, pretty printing includes proper line breaks, indentation, white space, and overall structure.

Source: Datagy​

An authorization method that assigns access based on user roles and user permissions.

Panther's Rules are Python functions for detecting suspicious security log activity and generating alerts.

Real-time rules, simply known as Rules, are used to analyze a point-in-time (single log)
​Scheduled rules are used to analyze aggregated or statistical data sets (many logs)

Panther's Scheduled Rules are a detection executed against a Scheduled Query data set and are used to investigate smaller subsets of data.

Panther's time-based SQL queries that allow you to pull data on a recurring basis. A Scheduled Query is always associated with at least one Scheduled Rule.

Schemas inform Panther how to normalize data for downstream services like the detection engine and tables in the data lake.

Also known as a data lake or SDL. A centralized repository aimed at maintaining and managing all log or other data sources relevant to an organization’s security posture. An SDL can ingest data from myriad sources and can integrate with other security analytics tools to provide a single place for security data to be housed, searched, and utilized.

A SIEM collects, stores, and analyzes security data across broad networks and data sources, allowing organizations to detect and respond to escalating threats.

A cloud-based Data Warehouse that integrates with Panther to provide unified, secure, and scalable security capabilities so businesses can eliminate blind spots and respond to threats at cloud-scale.

A collection of security management solutions that combine threat management with incident response and automated security operations.

Pronounced “sock.” A team of IT professionals tasked to monitor, analyze, and respond to security threats

An authentication process that allows a user to log in with one ID credential to access multiple separate and independent applications and services.

A consolidation of data tools to give extended visibility, analysis, and response across multiple applications.