This Glossary introduces common cloud-native, security, and Panther-specific terminology.
- A brief and human-readable event that correlated to a programmed alarm rule to provide information about data breaches, exploits, or malicious behaviors.
- A designated location where a security alert is sent after being created.
- A connection between computers or applications, which defines a specific set of rules for how they communicate and interact with one another.
- Continuous integration means work is constantly merged back into a central location, and generally includes automated testing for safety purposes. Continuous deployment or delivery means work is constantly deployed into production.
- A term for tools that you interact with from a command line, shell, virtual terminal, or similar interface.
Cloud-native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.
In Panther context, a Cloud Resource is an entity within your AWS account, such as an EC2 instance, S3 bucket, and IAM User. Cloud Resources are associated with an AWS account that you connected with Panther. Accessible from the Cloud Resources section of the Panther Console.
- Also known as web callbacks; a lightweight API that enables one system to forward data to another system when a specific event occurs.
Data Explorer is a Panther tool where you can view your normalized data, select rule matches, perform SQL queries, search standard fields across data, load or schedule queries, and download sharable results in a CSV file.
In Panther, deduplication refers to the process of grouping suspicious events together into a single alert to prevent receiving duplicate alerts for the same behavior that may have multiple indicators. Any event that triggers a detection is grouped together with other events that triggered the same detection and subsequent deduplication string within the designated deduplication period. This is controlled by two aspects:
- The deduplication string returned by the
- The deduplication period configured on a detection
Detection-as-Code is a modern, flexible, and structured approach to writing security detections that applies software engineering best practices like version control systems (VCS) to manage detections, requires testing and manual reviews for detection changes, automatically enforces these testing and standards (CI), and automatically deploys these changes (CD).
A cybersecurity solution that continuously monitors endpoint data and triggers rule-based automated responses.
- A “helper” function performs one part of the computation of a larger function or program. This allows you to re-use logic defined in one place multiple times, in addition to logically separating code for better comprehension and testing.
- In Panther, Global Helpers contain python code that can be used in other types of Panther detections (such as policies, rules, and data models). These Global Helpers serve as a library of common programming patterns that you can extend and use in any of the detections you write.
- A company that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise
- Panther's GreyNoise integration allows you to reduce false-positive alerts by identifying opportunistic attacks allowed into your perimeter and emerging threats based on GreyNoise context data and tagging.
Data collected that is likely to indicate a security breach or threat.
Log normalization parses and normalizes your uploaded logs for IOC (indicator of compromise) fields like domains and IPs to support efficient and effective analysis, searches, and correlations across all log types.
Panther’s Lookup Tables allow you to add important context to your detections and alerts by enriching the events they process and contain. They help you save time by enhancing detections, reducing alert noise, and speeding up investigations for improved investigation workflows.
A cybersecurity service that continuously monitors all security data and thus allows for robust detection, monitoring, and response to limit malicious threats and breaches.
Panther’s web-based application for UI workflows. Customers can log in at [customer-URL].runpanther.net.
Non-Panther Console workflows you can use to interact with your Panther account, including CI/CD, API, Panther Log Tool, and the Panther Analysis Tool (PAT).
An authorization method that assigns access based on user roles and user permissions.
- Schemas inform Panther how to normalize data for downstream services like the detection engine and tables in the data lake.
Also known as a data lake or SDL. A centralized repository aimed at maintaining and managing all log or other data sources relevant to an organization’s security posture. An SDL can ingest data from myriad sources and can integrate with other security analytics tools to provide a single place for security data to be housed, searched, and utilized.
A SIEM collects, stores, and analyzes security data across broad networks and data sources, allowing organizations to detect and respond to escalating threats.
A collection of security management solutions that combine threat management with incident response and automated security operations.
Pronounced “sock.” A team of IT professionals tasked to monitor, analyze, and respond to security threats
An authentication process that allows a user to log in with one ID credential to access multiple separate and independent applications and services.
A consolidation of data tools to give extended visibility, analysis, and response across multiple applications.