Success Schema
Enable, Configure and Detect with Panther
Now that you’ve reviewed the Quick Start guide and have access to your account’s Panther Console, it’s time to get fully onboarded to start generating alerts and investigating incidents. This checklist will walk you through the steps needed to make the most of Panther’s features.
Please note that you will need to make a decision between managing your detections using the Panther Console or outside of the console using the Panther Analysis Tool. We will help you understand your options and make the initial choice that’s best for your team.
If you need support, please reach out to your Panther account team.
The first thing you should do is onboard your data sources and start ingesting logs. Please review our Data Sources & Transports documentation for instructions on ingesting logs from common data sources, configuring data mapping for custom log sources, and ensuring you have a healthy data pipeline feeding into Panther.
- Onboard logs with Panther-supported schemas
- Set up data pipeline health alerts
- Create custom schemas for custom log types
- Set up cloud scanning
Now that your data is flowing into Panther, it’s time to create your detections. You can create and manage detections in the Panther Console or by using developer workflows with the Panther Analysis Tool (PAT). We have specific checklists for using each option following the descriptions below.
You can leverage the Panther Console to fully customize your security program through out-of-the-box Detection Packs, as well as the option to create and customize detections to leverage the power of detections-as-code from one place.
Panther offers different options for leveraging the detections in the panther-analysis GitHub repository as part of your developer workflow, allowing Panther detections to be deployed via Continuous Integration and Continuous Deployment (CI/CD).
We strongly advise against using Detection Packs in the Panther Console if you are also using Developer Workflows such as PAT. Managing detections via both methods at the same time will result in unexpected behavior.
Please note that while Panther’s detection engine may be running in your account, you will not receive alerts to external applications until you configure destinations for them. Without a destination configured, your alerts will only be visible within the Panther Console.
​
Panther Console
Panther Developer Workflows
- Review and Activate Detection Packs
- Review how to disable and enable individual detections within Detection Packs to ensure that your detections fit your needs.
- Configure and Customize Rules
- Scheduled Rules require Scheduled Queries (see Incident Investigations below)
- Policies require having a Cloud Account configured
- Set Up Real-Time Cloud Security Monitoring
- Test your Detections
Use these resources to set up the Panther Analysis Tool (PAT) for developer workflows, including CI/CD.
- Follow the CI/CD for Panther Content documentation to get started and keep up with Panther-built Detections
If you are already managing detections in the Panther Console and wish to migrate to a CI/CD workflow, follow the migration steps.
​
Once you have data in Panther and your detections are enabled, the next step is to set up your Alert Destinations to begin receiving alerts. See this Panther blog post to learn about the value of real-time alerting: Detect Everything, Real-Time Alerts As Needed​
Follow the resources below to enhance your detection and response capabilities.
- Configure your Alert Destination
- Triage Detection Alerts and analyze related events in the Panther Console
- Configure Alert Runbooks
Having all of your data readily available for search and investigation is critical for efficient threat hunting and incident triage.
Use Panther’s Indicator Search and Data Explorer features to save precious time in your incident response process and conduct a thorough analysis and investigation review.
- Search IOCs and standard data fields
- Execute SQL in the Data Explorer and view results
- Set Up Scheduled Queries
- Triage Policy findings and view resource attributes
Alert noise and false positives are often the most significant challenges that security teams face with security information and event management (SIEM).
Leverage Panther’s built-in enrichment features to add valuable context to your Alerts and create more robust Detections to keep your team focused on critical alerts (reducing alert fatigue) by ruling out internet background noise in your detection and alerting logic.
- Create Lookup Tables to add context to your detections and alerts
Last modified 3mo ago