Enable, Configure and Detect with Panther
Now that you’ve reviewed the Quick Start guide and have access to your account’s Panther Console, it’s time to get fully onboarded to start generating alerts and investigating incidents. This checklist will walk you through the steps needed to make the most of Panther’s features.
Please note that you will need to make a decision between managing your detections using the Panther Console or outside of the console using the Panther Analysis Tool. We will help you understand your options and make the initial choice that’s best for your team.
If you need support, please reach out to your Panther account team.
The first thing you should do is onboard your data sources and start ingesting logs. Please review our Data Sources & Transports documentation for instructions on ingesting logs from common data sources, configuring data mapping for custom log sources, and ensuring you have a healthy data pipeline feeding into Panther.
Now that your data is flowing into Panther, it’s time to create your detections. You can create and manage detections in the Panther Console or by using developer workflows with the Panther Analysis Tool (PAT). We have specific checklists for using each option following the descriptions below.
You can leverage the Panther Console to fully customize your security program through out-of-the-box Detection Packs, as well as the option to create and customize detections to leverage the power of detections-as-code from one place.
Panther offers different options for leveraging the detections in the panther-analysis GitHub repository as part of your developer workflow, allowing Panther detections to be deployed via Continuous Integration and Continuous Deployment (CI/CD).
Please note that while Panther’s detection engine may be running in your account, you will not receive alerts to external applications until you configure destinations for them. Without a destination configured, your alerts will only be visible within the Panther Console.
Panther Developer Workflows
Use these resources to set up the Panther Analysis Tool (PAT) for developer workflows, including CI/CD.
If you are already managing detections in the Panther Console and wish to migrate to a CI/CD workflow, follow the migration steps.
Once you have data in Panther and your detections are enabled, the next step is to set up your Alert Destinations to begin receiving alerts. See this Panther blog post to learn about the value of real-time alerting: Detect Everything, Real-Time Alerts As Needed
Follow the resources below to enhance your detection and response capabilities.
Having all of your data readily available for search and investigation is critical for efficient threat hunting and incident triage.
Use Panther’s Indicator Search and Data Explorer features to save precious time in your incident response process and conduct a thorough analysis and investigation review.
Alert noise and false positives are often the most significant challenges that security teams face with security information and event management (SIEM).
Leverage Panther’s built-in enrichment features to add valuable context to your Alerts and create more robust Detections to keep your team focused on critical alerts (reducing alert fatigue) by ruling out internet background noise in your detection and alerting logic.