# System Configuration
## Overview
Use Panther's system configuration settings to configure your Panther Console and overall Panther deployment to best meet your organization's needs.
## General settings
To access your General settings, click the gear icon in the upper right corner of your Panther Console. The General settings include the following tabs:
* [**Main Information**](#main-information)
* [**Identity & Access**](#identity-and-access)
* [**Data Lake**](#data-lake)
* [**Developer Workflow**](#developer-workflow)
Only users with the `Read Settings & SAML Preferences` permission can view the configurations on this page, and only those with `Edit Settings & SAML Preferences` can make changes.
The footer on the **Settings** > **General** page displays your Panther instance's AWS Account ID, Panther Version, AWS Region, and Gateway Public IP:
### Main Information
In this section, you can configure the following fields:
* Company Information
* Company Name
* Email
* Preferences
* Send Product Analytics
* This anonymized data helps us improve Panther.
* Enable Panther Audit Logs
* Panther audit logs provide a read-only history of activity in your Panther deployment. You can write detections on your audit logs, or query for them in your [data lake](https://docs.panther.com/resources/help/glossary#security-data-lake), the same way you would with any other security events ingested by Panther.
* For more information, see [Panther Audit Logs](https://docs.panther.com/data-onboarding/supported-logs/panther-audit-logs).
### Identity & Access
You can integrate with SAML Identity Providers (IdPs) to enable user login to the Panther Console via [SSO](https://docs.panther.com/resources/help/glossary#sso-single-sign-on). After setting up a SSO integration, you can optionally [enforce its use](https://docs.panther.com/saml#how-to-enforce-sso) for logging in. Panther integrates with the following providers:
* [Duo](https://docs.panther.com/system-configuration/saml/duo-sso)
* [G Suite](https://docs.panther.com/system-configuration/saml/gsuite)
* [Okta](https://docs.panther.com/system-configuration/saml/okta)
* [OneLogin](https://docs.panther.com/system-configuration/saml/onelogin)
Panther also supports integrating with *any* SAML IdP via the [Generic SSO](https://docs.panther.com/system-configuration/saml/generic) integration.
For more information, see [SAML/SSO Integration](https://docs.panther.com/system-configuration/saml).
### Data Lake
Panther is configured to write processed log data to an AWS-based [Snowflake](https://www.snowflake.com) database cluster. Using Panther with Snowflake enables Panther data to both integrate with your given Business Intelligence tools and to perform assessments of your organization's security posture. For more information, see [Snowflake Integration](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup).
This section in the Panther Console Settings also includes the ability to make LIMIT clauses required for scheduled queries. See the [scheduled query documentation](https://docs.panther.com/search/scheduled-searches#use-limits-in-scheduled-queries) for more information.
### Developer Workflow
Click the toggle next to **We use the Panther Analysis Tool to manage our detections** if you want to prevent users from enabling Panther Packs in the Panther Console. This helps prevent update conflicts between the Console and CI/CD workflows.
The "Developer Workflow" is also known as the CLI workflow.
## User settings
### View, delete, and invite users
Under **Settings** > **Users**, users with the **View Users** permission can view a list of all users in your Panther account. A user with the **Manage Users** permission can delete and invite users.
#### Viewing the Users list
The **Settings** > **Users** page displays a searchable, sortable list of Panther users—including each user's name, email, role, status, and the dates/times at which they were invited to Panther and last logged in. You can filter users by role and status, and sort by any column.
The **Status** column can have the following values:
* **Confirmed**: user has been set up with password authentication and has changed their initial temporary password.
* **Force Change Password**: user must change password upon next sign-in.
* This usually appears for newly created users; it appears between user creation and first sign-in.
* **External Provider**: user is managed via SSO through an [external SAML provider](https://docs.panther.com/system-configuration/saml).
#### Inviting a user to Panther
To invite a new user to Panther:
1. In the upper-right corner of your Panther Console, click the gear icon, then **Users**.
2. Click **Invite User**.
3. Fill in the form, providing the user's email address, first name, last name, and role.
4. Click **Invite**.
* If the invitation is sent successfully, you will see a pop-up:\
* The invited user must follow the flow outlined in [Initial login](#initial-login), below.
#### Initial login
When you invite a new user to your Panther instance, they receive an email with temporary credentials that they can use to sign in to the platform.
After a user's initial login, they are required to update their password and set up MFA.
Panther requires a strong password:
* Password must contain at least 1 number
* Password must contain at least 1 symbol
* Password must contain at least 1 lowercase character
* Password must contain at least 1 uppercase character
* Password must contain at least 12 characters
## Panther AI
To access your Panther AI settings, click the gear icon in the upper right corner of your Panther Console, then select **Panther AI**. The Panther AI settings include the following tabs:
* [Configuration](#configuration)
* [Alert Triage](#alert-triage)
* [Web Access](#web-access)
### Configuration
The following settings are available:
* **Enable Panther AI**: Must be set to `ON` to use Panther AI. Additional steps may be required to use Panther AI—see [Enabling Panther AI](https://docs.panther.com/ai#enabling-panther-ai).
* **Organization Profile**: Add an optional static prompt to all AI analyses. You can provide organization-specific context and direction in the text box to enhance AI-powered threat analysis.
### Alert Triage
The following settings are available:
* **Auto-resolve Based on Risk Score**: When set to `ON`, Panther AI automatically resolves alerts that receive a risk classification score at or below a configured threshold. This allows low-risk alerts to be closed without manual intervention. Learn more in [Auto-resolve alerts based on risk score](https://docs.panther.com/ai/panther-ai-and-alerts#auto-resolve-alerts-based-on-risk-score).
* **Risk score Threshold**: Set the maximum risk score at which alerts are auto-resolved. The threshold is a value on a scale from -1 (most benign) to +1 (most risky). Only alerts with a risk score at or below this threshold are auto-resolved.
* **Alert Severities** (Optional): If one or more alert severities are selected, only alerts with those severities are eligible for auto-resolve. The `INFO` severity is excluded from this list.
* **Detection Tags** (Optional): If one or more tags is entered, only alerts triggered by detections with at least one of those tags are eligible for auto-resolve.
* Auto-resolve requires **Auto-run AI Triage on Alerts** to be enabled, since alerts must first be triaged by Panther AI to receive a risk score.
* **Auto-run AI Triage on Alerts**: When set to `ON`, AI alert triage runs automatically on new alerts. Learn more in [Auto-run AI alert triage](https://docs.panther.com/alerts#auto-run-ai-alert-triage).
* **Alert Severities**: If one or more alert severities is selected, Panther AI will only auto-run alert triage for alerts with those severities. Note that the `INFO` severity is excluded from this list, as Panther does not allow auto-run AI triage on `INFO`-level alerts.
* **Detection Tags**: If one or more tags is entered, Panther AI will only auto-run alert triage for alerts triggered by detections with at least one of those tags.
{% hint style="info" %}
**Important notes about auto-run AI triage**
* Auto-run AI triage is only available to [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) customers and [SaaS](https://docs.panther.com/system-configuration/panther-deployment-types/saas) customers with pass-through billing.
* If both the **Alert Severities** and **Detection Tags** fields contain values, AI triage will only be auto-run if an alert meets both criteria, i.e., has one of the specified severities *and* its associated detection has one of the specified tags.
{% endhint %}
### Web Access
The **Web Access** tab controls whether Panther AI can fetch content from external web pages and process file attachments during conversations. When enabled, Panther AI can read web pages, images, and PDF documents to add context during analysis — for example, referencing public documentation, threat intelligence reports, or indicators of compromise. This setting also enables [file attachments](https://docs.panther.com/ai#file-attachments), allowing users to upload files directly to AI conversations.
The following settings are available:
* **Enable Web Access**: Controls whether Panther AI can fetch web content and process file attachments. When set to `OFF`, both web content fetching and file attachment capabilities are disabled entirely.
* **Approved Domains**: A list of domains that Panther AI can access without requiring user approval. Wildcard entries are supported — for example, `*.example.com` matches any subdomain of `example.com` (such as `docs.example.com`) but does not match `example.com` itself.
* **Forbidden Domains**: A list of domains that Panther AI is never allowed to access, regardless of other settings. Wildcard entries are supported. Forbidden domains take priority over approved domains.
* **Require Approval for Non-Approved Domains**: When set to `ON`, Panther AI will pause and ask for your approval before fetching content from a domain that is not on the approved domains list. When set to `OFF`, Panther AI can only access domains on the approved list.
{% hint style="info" %}
When **Require Approval for Non-Approved Domains** is `OFF` and the approved domains list is empty, Panther AI cannot access any web content. When **Require Approval for Non-Approved Domains** is `ON` and the approved domains list is empty, every web request triggers a user approval prompt.
{% endhint %}
**Security considerations:**
* Panther AI will never make requests to private or internal network addresses (e.g., `10.0.0.0/8`, `169.254.169.254`, `localhost`), regardless of domain settings.
* If an approved domain redirects to a forbidden or non-approved domain, the request is blocked.
* All web access requests are recorded in Panther audit logs, including the requested URL.
## User role settings
### Configure Role-Based Access Control
Under **Settings > User Roles**, you can configure [Role-Based Access Control (RBAC)](https://docs.panther.com/resources/help/glossary#rbac-role-based-access-control). This gives Panther deployments granular access control for its user accounts. All roles, including the three [default Panther roles](#default-panther-roles), are customizable by any user with `UserModify` permissions.
For more information, see [Role-Based Access Control](https://docs.panther.com/system-configuration/rbac).
## API Tokens and Playground
Under **Settings > API Tokens**, view a list of API tokens that have been created for your account. You can also [create a new API Token](https://docs.panther.com/panther-developer-workflows/api#step-1-creating-an-api-token).
Under **Settings > API Playground**, access [Panther's API Playground](https://docs.panther.com/panther-developer-workflows/api/api-playground) to try out API operations.
## Alert Context Tags
Under **Settings > Alert Context Tags**, you can view a list of alert context tags and add new tags.
For more information, see [Custom alert context tags](https://docs.panther.com/alerts/alert-management#custom-alert-context-tags).
## Profile Settings
To configure settings for your profile in Panther, click your initials in the top right-hand corner of the Console. Then, click **Profile Settings**. You will see the following tabs:
* Profile
* Account Security
* Preferences
* Notifications
* AI Preferences
### Profile
In the **Profile** tab, you can set account information, such as first and last name. If you have signed in using SSO, the fields on this page will be disabled.
### Account Security
In the **Account Security** tab, you can manage your password settings. If you have signed in using SSO, the fields on this page will be disabled.
### Preferences
In the **Preferences** tab, you can choose if you want time zones to display in UTC. If toggled `OFF`, times and dates will be shown in your local time across the Console.
You can also set your theme to System, Light, or Dark.
### Notifications
In the **Notifications** tab, you can choose if you want to receive an email when an alert is assigned to you. This page does not control your [in-Console notification](https://docs.panther.com/system-configuration/notifications) preferences.
### AI Preferences
In the **AI Preferences** tab, you can customize how Panther AI communicates with you by setting a personal AI prompt. This allows you to specify your preferred communication style, role, expertise level, or other preferences that will be applied to all AI interactions. You can enter up to 2048 characters to describe how you'd like Panther AI to respond.
{% hint style="info" %}
Changes to AI preferences may take up to 10 minutes to take effect. For more information about AI preferences, see [Personal AI preferences](https://docs.panther.com/ai#personal-ai-preferences).
{% endhint %}
## Other Panther Console features
### System Health Notifications
Panther's System Health Notifications alert you with a "System Error" when a part of the Panther platform is not functioning correctly. This includes the following types of notifications:
* Log source health notifications
* Log classification errors
* Alert delivery failures
* Cloud security scanning failures
For more information, see [System Health Notifications.](https://docs.panther.com/system-configuration/notifications/system-errors)
## Troubleshooting System Configuration
Visit the Panther Knowledge Base to [view articles about system configuration](https://help.panther.com/System_Configuration) that answer frequently asked questions and help you resolve common errors and issues.
* The invited user must follow the flow outlined in [Initial login](#initial-login), below.
#### Initial login
When you invite a new user to your Panther instance, they receive an email with temporary credentials that they can use to sign in to the platform.
After a user's initial login, they are required to update their password and set up MFA.
Panther requires a strong password:
* Password must contain at least 1 number
* Password must contain at least 1 symbol
* Password must contain at least 1 lowercase character
* Password must contain at least 1 uppercase character
* Password must contain at least 12 characters
## Panther AI
To access your Panther AI settings, click the gear icon in the upper right corner of your Panther Console, then select **Panther AI**. The Panther AI settings include the following tabs:
* [Configuration](#configuration)
* [Alert Triage](#alert-triage)
* [Web Access](#web-access)
### Configuration
The following settings are available:
* **Enable Panther AI**: Must be set to `ON` to use Panther AI. Additional steps may be required to use Panther AI—see [Enabling Panther AI](https://docs.panther.com/ai#enabling-panther-ai).
* **Organization Profile**: Add an optional static prompt to all AI analyses. You can provide organization-specific context and direction in the text box to enhance AI-powered threat analysis.
### Alert Triage
The following settings are available:
* **Auto-resolve Based on Risk Score**: When set to `ON`, Panther AI automatically resolves alerts that receive a risk classification score at or below a configured threshold. This allows low-risk alerts to be closed without manual intervention. Learn more in [Auto-resolve alerts based on risk score](https://docs.panther.com/ai/panther-ai-and-alerts#auto-resolve-alerts-based-on-risk-score).
* **Risk score Threshold**: Set the maximum risk score at which alerts are auto-resolved. The threshold is a value on a scale from -1 (most benign) to +1 (most risky). Only alerts with a risk score at or below this threshold are auto-resolved.
* **Alert Severities** (Optional): If one or more alert severities are selected, only alerts with those severities are eligible for auto-resolve. The `INFO` severity is excluded from this list.
* **Detection Tags** (Optional): If one or more tags is entered, only alerts triggered by detections with at least one of those tags are eligible for auto-resolve.
* Auto-resolve requires **Auto-run AI Triage on Alerts** to be enabled, since alerts must first be triaged by Panther AI to receive a risk score.
* **Auto-run AI Triage on Alerts**: When set to `ON`, AI alert triage runs automatically on new alerts. Learn more in [Auto-run AI alert triage](https://docs.panther.com/alerts#auto-run-ai-alert-triage).
* **Alert Severities**: If one or more alert severities is selected, Panther AI will only auto-run alert triage for alerts with those severities. Note that the `INFO` severity is excluded from this list, as Panther does not allow auto-run AI triage on `INFO`-level alerts.
* **Detection Tags**: If one or more tags is entered, Panther AI will only auto-run alert triage for alerts triggered by detections with at least one of those tags.
{% hint style="info" %}
**Important notes about auto-run AI triage**
* Auto-run AI triage is only available to [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) customers and [SaaS](https://docs.panther.com/system-configuration/panther-deployment-types/saas) customers with pass-through billing.
* If both the **Alert Severities** and **Detection Tags** fields contain values, AI triage will only be auto-run if an alert meets both criteria, i.e., has one of the specified severities *and* its associated detection has one of the specified tags.
{% endhint %}
### Web Access
The **Web Access** tab controls whether Panther AI can fetch content from external web pages and process file attachments during conversations. When enabled, Panther AI can read web pages, images, and PDF documents to add context during analysis — for example, referencing public documentation, threat intelligence reports, or indicators of compromise. This setting also enables [file attachments](https://docs.panther.com/ai#file-attachments), allowing users to upload files directly to AI conversations.
The following settings are available:
* **Enable Web Access**: Controls whether Panther AI can fetch web content and process file attachments. When set to `OFF`, both web content fetching and file attachment capabilities are disabled entirely.
* **Approved Domains**: A list of domains that Panther AI can access without requiring user approval. Wildcard entries are supported — for example, `*.example.com` matches any subdomain of `example.com` (such as `docs.example.com`) but does not match `example.com` itself.
* **Forbidden Domains**: A list of domains that Panther AI is never allowed to access, regardless of other settings. Wildcard entries are supported. Forbidden domains take priority over approved domains.
* **Require Approval for Non-Approved Domains**: When set to `ON`, Panther AI will pause and ask for your approval before fetching content from a domain that is not on the approved domains list. When set to `OFF`, Panther AI can only access domains on the approved list.
{% hint style="info" %}
When **Require Approval for Non-Approved Domains** is `OFF` and the approved domains list is empty, Panther AI cannot access any web content. When **Require Approval for Non-Approved Domains** is `ON` and the approved domains list is empty, every web request triggers a user approval prompt.
{% endhint %}
**Security considerations:**
* Panther AI will never make requests to private or internal network addresses (e.g., `10.0.0.0/8`, `169.254.169.254`, `localhost`), regardless of domain settings.
* If an approved domain redirects to a forbidden or non-approved domain, the request is blocked.
* All web access requests are recorded in Panther audit logs, including the requested URL.
## User role settings
### Configure Role-Based Access Control
Under **Settings > User Roles**, you can configure [Role-Based Access Control (RBAC)](https://docs.panther.com/resources/help/glossary#rbac-role-based-access-control). This gives Panther deployments granular access control for its user accounts. All roles, including the three [default Panther roles](#default-panther-roles), are customizable by any user with `UserModify` permissions.
For more information, see [Role-Based Access Control](https://docs.panther.com/system-configuration/rbac).
## API Tokens and Playground
Under **Settings > API Tokens**, view a list of API tokens that have been created for your account. You can also [create a new API Token](https://docs.panther.com/panther-developer-workflows/api#step-1-creating-an-api-token).
Under **Settings > API Playground**, access [Panther's API Playground](https://docs.panther.com/panther-developer-workflows/api/api-playground) to try out API operations.
## Alert Context Tags
Under **Settings > Alert Context Tags**, you can view a list of alert context tags and add new tags.
For more information, see [Custom alert context tags](https://docs.panther.com/alerts/alert-management#custom-alert-context-tags).
## Profile Settings
To configure settings for your profile in Panther, click your initials in the top right-hand corner of the Console. Then, click **Profile Settings**. You will see the following tabs:
* Profile
* Account Security
* Preferences
* Notifications
* AI Preferences
