Links

Operations

Assessing Data Ingest Volume

You can use the Panther API metrics operations to measure the total number of bytes and events that Panther ingested or processed over a specific time period. For other methods of assessing data ingestion volume, see the sections below.

SaaS deployments of Panther

Please reach out to your Panther account team for help accessing this data.

Self-Hosted and CPaaS deployment of Panther

The information below applies to legacy Self-Hosted and CPaaS deployment types. Note that Panther no longer supports the Self-Hosted deployment type for new accounts.
The Panther log analysis CloudWatch dashboard provides deep insight into operationally relevant aspects of log processing. Understanding the ingest volume is critically important to forecast the cost of running Panther.
In the Dashboard of your Panther Console, you can view the volume of logs ingested. This can be used, in combination with your AWS bill, to forecast costs as you scale your data. We suggest you use a month of data to estimate your costs.
To view the CloudWatch dashboard:
  1. 1.
    Log in to the AWS Console.
  2. 2.
    Click CloudWatch from the Services menu.
  3. 3.
    Click Dashboards from the left sidebar of the CloudWatch console.
    The image shows the AWS CloudWatch sidebar menu.
  4. 4.
    Click the dashboard name beginning with PantherLogAnalysis
    The image shows a list of Dashboards in AWS CloudWatch.
  5. 5.
    Click the three dots icon in upper right corner of the tile titled "Input MBytes (Uncompressed) by Log Type". In the dropdown menu, click View in CloudWatch Insights.
    In AWS CloudWatch, there is a tile labeled "Input MBytes (Uncompressed) by Log Type". On the right side of the tile, there is a 3 dots icon. It is expanded to show a dropdown menu, with the option "View in CloudWatch Logs Insights" highlighted.
  6. 6.
    Set the time period for 4 weeks, then click Apply.
  7. 7.
    At the top of the Logs Insights page, click Run Query.
The AWS CloudWatch Logs Insights page is displayed. A query is entered into the text field at the top of the page.

Operational Tools

Panther comes with some operational tools useful for managing Panther infrastructure. These tools are statically compiled executables for Linux, Mac (including Darwin) and Windows.
These tools require that AWS credentials be set in the environment with sufficient privileges. We recommend a tool to manage these securely such as AWS Vault.
Do not run any of these tools unless specifically advised by a Panther team member.
Expand the tools below to find download links for the latest versions. Running these commands with the -h flag will explain usage.
compact
This tool backfills JSON-to-Parquet conversion of log data.
Download the latest version at the following links:
s3sns
This tool lists S3 objects and posts S3 notifications to the Panther log processor SNS topic.
Download the latest version at the following links:
For information on using Panther's development tools, see the following pages:

How to download a specific version of Panther's tools

If you want to download the latest version of a tool, use the download links within the tool's respective section, above. If you'd like to download a specific version of a tool, follow the instructions below.
Instructions for downloading the tools differs depending on your Panther version.

Step 1: Confirm your Panther version

  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the upper right corner, click your user icon. The Panther version is at the bottom of the dropdown menu.
Panther v1.27+
Panther 1.26.x and older

Panther v1.27+

To download a specific version of a tool, construct the S3 download URL manually, using the following format:
https://panther-community-us-east-1.s3.amazonaws.com/{version}/tools/{os}-{arch}-{tool}.zip Replace the placeholder text in the download URL as described below:
  • version: The version of Panther you have deployed, e.g. v1.27.0
    • latest can replace version to download the latest version of the tool.
  • os: Use one of the following: darwin, linux , or windows
  • arch: Use amd64 or arm64
  • tool: The name of the tool you are downloading. See Tool for a list of available tools.
Example complete tool link using {version} https://panther-community-us-east-1.s3.amazonaws.com/v1.27.0/tools/darwin-amd64-compact.zip
Example download link using latest
https://panther-community-us-east-1.s3.amazonaws.com/latest/tools/darwin-amd64-compact.zip

Panther v1.26.X and Older

In these versions of Panther, all tools were bundled together in a single zipfile. You can download the tools from a link using this format: https://panther-community-us-east-1.s3.amazonaws.com/{version}/tools/{architecture}.zip Replace the placeholder text in the download URL as described below:
  • version: The version of Panther you have deployed, e.g. v1.23.3
  • architecture: Use one of the following:
    • darwin-amd64
    • linux-amd64
    • linux-arm
    • windows-amd64
    • windows-arm
Each zip archive will contain the entire set of tools. See Tools for a list of all available tools.
An example of a full link to the set of tools: https://panther-community-us-east-1.s3.amazonaws.com/v1.23.3/tools/darwin-amd64.zip

Monitoring

The information below applies to legacy Self-Hosted and CPaaS deployment types. Panther no longer supports these deployment types for new accounts.

Visibility

Panther has 5 CloudWatch dashboards to provide visibility into the operation of the system:
  • PantherOverview An overview of all errors and performance of all Panther components.
  • PantherCloudSecurity: Details of the components monitoring infrastructure for CloudSecurity.
  • PantherAlertProcessing: Details of the components that relay alerts for CloudSecurity and Log Processing.
  • PantherLogAnalysis: Details of the components processing logs and running rules.
  • PantherRemediation: Details of the components that remediate infrastructure issues.

Alarms

Panther uses CloudWatch Alarms to monitor the health of each component. Edit the deployments/panther_config.yml file to associate an SNS topic you have created with the Panther CloudWatch alarms to receive notifications. If this value is blank then Panther will associate alarms with the default Panther SNS topic called panther-alarms:
MonitoringParameterValues:
# This is the arn for the SNS topic you want associated with Panther system alarms.
# If this is not set alarms will be associated with the SNS topic `panther-alarms`.
AlarmSNSTopicARN: 'arn:aws:sns:us-east-1:05060362XXX:MyAlarmSNSTopic'
To configure alarms to send to your team, follow the guides below:
  • Note: Pager Duty cannot handle composite CloudWatch alarms, which Panther uses to avoid duplicate pages to oncall staff. As a workaround, you can use a Custom Event Transformer.
    Follow the instructions using the below code:
    var details = JSON.parse(PD.inputRequest.rawBody);
    var description = "unknown event";
    if ("AlarmDescription" in details) { // looks like a CloudWatch event ...
    var descLines = details.AlarmDescription.split("\n");
    description = (descLines.length > 1)? descLines[0] + " " + descLines[1] : descLines[0];
    }
    var normalized_event = {
    event_type: PD.Trigger,
    description: description,
    incident_key: description,
    details: details
    };
    PD.emitGenericEvents([normalized_event]);
    Configure the SNS topic to use RawMessageDelivery: true when creating the Pager Duty subscription.