Links

Success Schema

Enable, Configure and Detect with Panther
Now that you’ve reviewed the Quick Start guide and have access to your account’s Panther Console, it’s time to get fully onboarded to start generating alerts and investigating incidents. This checklist will walk you through the steps needed to make the most of Panther’s features.
Please note that you will need to make a decision between managing your detections using the Panther Console or outside of the console using the Panther Analysis Tool. We will help you understand your options and make the initial choice that’s best for your team.
If you need support, please reach out to your Panther account team.
This page may be viewed and downloaded as a PDF by clicking here.

Onboarding Data

The first thing you should do is onboard your data sources and start ingesting logs. Please review our Data Sources & Transports documentation for instructions on ingesting logs from common data sources, configuring data mapping for custom log sources, and ensuring you have a healthy data pipeline feeding into Panther.

Required

Detection Management

Now that your data is flowing into Panther, it’s time to create your detections. You can create and manage detections in the Panther Console or by using developer workflows with the Panther Analysis Tool (PAT). We have specific checklists for using each option following the descriptions below.

Panther Console

You can leverage the Panther Console to fully customize your security program through out-of-the-box Detection Packs, as well as the option to create and customize detections to leverage the power of detections-as-code from one place.

Panther Developer Workflows

Panther offers different options for leveraging the detections in the panther-analysis GitHub repository as part of your developer workflow, allowing Panther detections to be deployed via Continuous Integration and Continuous Deployment (CI/CD).
We strongly advise against using Detection Packs in the Panther Console if you are also using Developer Workflows such as PAT. Managing detections via both methods at the same time will result in unexpected behavior.

Don’t forget about Alert Destinations!

Please note that while Panther’s detection engine may be running in your account, you will not receive alerts to external applications until you configure destinations for them. Without a destination configured, your alerts will only be visible within the Panther Console.
Panther Console
Panther Developer Workflows

Detection management in the Panther Console

Required

Additional Options

Detection Management Using PAT for CI/CD Workflows

Use these resources to set up the Panther Analysis Tool (PAT) for developer workflows, including CI/CD.

Required

If you are already managing detections in the Panther Console and wish to migrate to a CI/CD workflow, follow the migration steps.

Additional Resources

Destination and Alert Management

Once you have data in Panther and your detections are enabled, the next step is to set up your Alert Destinations to begin receiving alerts. See this Panther blog post to learn about the value of real-time alerting: Detect Everything, Real-Time Alerts As Needed
Follow the resources below to enhance your detection and response capabilities.

Required

Additional Resources

Incident Investigation and Data Analysis

Having all of your data readily available for search and investigation is critical for efficient threat hunting and incident triage.
Use Panther’s Indicator Search and Data Explorer features to save precious time in your incident response process and conduct a thorough analysis and investigation review.

Required

Additional Resources

Enrichment

Alert noise and false positives are often the most significant challenges that security teams face with security information and event management (SIEM).
Leverage Panther’s built-in enrichment features to add valuable context to your Alerts and create more robust Detections to keep your team focused on critical alerts (reducing alert fatigue) by ruling out internet background noise in your detection and alerting logic.
  • Create Lookup Tables to add context to your detections and alerts
  • Configure enrichment data sources to reduce false positive alerts and enhance detections

Additional Resources