Onboarding Guide
Set up your Panther environment
Last updated
Was this helpful?
Set up your Panther environment
Last updated
Was this helpful?
Onboarding in Panther includes setting up log sources, detections, and alert destinations, as well as familiarizing yourself with search tools and optionally enabling enrichment capabilities. This guide explains how to complete each of these tasks.
If you need help while onboarding, please reach out to your Panther support team.
You have successfully logged in to your Panther Console.
The first step in configuring your Panther environment is to onboard log sources, which provide data to Panther to analyze and store. After identifying valuable sources, you'll onboard each one.
Consider the log-emitting systems in your environment that you'd like to monitor for security. It's recommended to onboard enough sources to come close to your allowed ingest volume. You can use if you would only like to ingest some logs from a certain source into Panther.
If you need some ideas of where to get started, review the list. You can also onboard completely .
For each of the log sources you've identified as wanting to ingest:
If the log source is one of Panther's , onboard it by following the instructions on its documentation page.
If the log source is not one of Panther's :
If the source is able to emit event webhooks:
Onboard the source by following the .
Follow the .
If the source is not able to emit event webhooks but can export events to an S3 bucket:
Onboard the source by following the .
Follow the instructions to infer a custom schema in one of the following ways:
If the source is not able to emit event webhooks nor export events to an S3 bucket, but can export events to one of the other locations Panther can pull from, e.g., or :
Define a custom schema in one of the following ways:
Onboard the source by following the instructions within the .
If the source is not able to emit event webhooks nor export events to any of Panther's sources, see Panther's guides or reach out to your Panther support team for assistance in connecting your data to Panther.
These Step 1.2 instructions are also represented in the flow chart below:
Now that your data is flowing into Panther, it's time to configure detections. First, you'll choose whether to manage detection content in the Panther Console or CLI workflow. Then, for each source, you'll enable Panther-managed detections or create your own.
You might choose to use the CLI workflow if your team is comfortable using git, command line tools, and CI/CD pipelines. Otherwise, it's recommended to use the Panther Console.
Enable a Panther-managed Detection Pack for the source. See the instructions below for enabling a Detection Pack in the Panther Console and in the CLI workflow.
If you already enabled a Detection Pack for this log source during onboarding (on the final "Success!" page), move on to the next log source.
If the source is a custom log source:
Create your own detections. See the instructions below for creating detections in the Panther Console and in the CLI workflow. While creating detections:
For each alert destination you'd like to set up:
If the destination is not natively supported by Panther:
When setting up each alert destination, you'll select the Alert Types sent to that destination, shown below. It's strongly recommended to configure at least one alert destination to receive System Errors.
For each of the above features, determine whether you would like to enable them, and if so, follow the set up instructions on their respective pages.
If you use AWS as a cloud provider, you can use Panther's feature to monitor the configurations of your cloud resources.
If you'd like to use Cloud Security Scanning, .
Learn how to .
Learn about for custom log sources.
If you created any , designate fields as to enable cross-log search and detections.
After you have created or enabled detections, alerts for matches will be visible in your Panther Console and queryable via the Panther API—but you will not receive alerts in external applications until you complete the , to set up alert destinations.
Decide whether you'd like to manage detection content in the Panther Console or in the CLI workflow (performing uploads using the , perhaps in a pipeline). Detection content includes detection packs and individual detections (rules, scheduled rules, and policies), as well as data models, global helpers, lookup tables, saved searches, and scheduled searches. Managing detection content in both the Console and CLI workflows is unsupported.
Panther's functionality aims to eventually integrate the Console and CLI workflows. Currently, if your team uses the CLI workflow to manage detection content, the changes made to detections using the in the Console will still be overwritten on next upload (except for created in the Console, which will be preserved).
For each log source you onboarded to Panther in the previous step, you will enable Panther-managed detections or create your own. If the source is one of Panther's , follow the . Otherwise, follow the .
If the source is one of Panther's :
Follow for the source.
Learn .
If you have not done so already, to clone or fork the of detections.
Within the , locate the directory for this source, which contains Panther-managed rules and (possibly) scheduled rules.
Upload your detections to Panther manually using , or to upload detection content with PAT.
Consider leveraging Panther-managed , or creating your own.
Create .
.
If necessary, create one or more Scheduled Rules for the log source by .
If you have not done so already, to clone or fork the of Python detections.
.
.
If necessary, write one or more Scheduled Rules for the log source by .
Upload your detections to Panther manually using , or to upload detection content with PAT.
If you onboarded one or more AWS accounts for , enable Panther-managed policies, or create your own.
Enable the in the Panther Console. Note that in addition to Policies, this pack includes rules, helpers, and data models.
.
To create Policies in the Console, .
If you have not done so already, to clone or fork the of Python detections.
Within the , identify the directories of interest to you, i.e., the directories covering AWS resources you are interested in monitoring.
Upload your detections to Panther manually using , or to upload detection content with PAT.
To write Policies in the CLI workflow, .
If you are using the CLI workflow, .
Use to check that your detections match when expected.
If you onboarded an AWS account for Cloud Security Scanning, set up .
Set up to receive alerts in locations outside of your Panther Console.
Where is the best place for your team to receive Panther alerts? Does it make sense to configure multiple destinations, and route alerts of different to different locations?
If you need some ideas to get started, check out the list of supported destinations on the page. You can also create .
If the destination is one of the , follow the setup instructions specific to that destination.
If the destination can receive HTTP POST requests containing a JSON payload, follow the .
Alternatively, consider polling the Panther API for new alerts on a schedule. .
System Errors notify users when some part of their Panther workflow is not functioning correctly, such as log sources turning unhealthy or alerts failing to deliver. Learn more about System Errors on .
Learn how to triage alerts in Panther on .
Before it's time to investigate a security incident, you'll want to be comfortable using Panther's .
Practice creating filters and executing a search in the tool.
If you are comfortable writing SQL, practice running queries in .
See example queries in .
Create a , on top of which you can create a .
Panther's features can add useful context to log events, enabling you to write higher fidelity detections and generate more informative alerts. These features include:
Panther-managed Enrichment Providers like , , and
like and
containing custom data
