Links

System Configuration

Overview

This section of Panther's documentation covers how to configure your Panther Console and your overall Panther deployment. Panther features several configurable settings that enable you to tailor the service for your needs.
The gear icon in the upper right corner of the Panther Console is expanded and a drop-down menu is visible.

General settings

To access your General settings, click the gear icon in the upper right corner of your Panther Console. The General settings include the following tabs:
Only users with the Read Settings & SAML Preferences permission can view the configurations on this page, and only those with Edit Settings & SAML Preferences can make changes.
The footer on the Settings > General page displays your Panther instance's AWS Account ID, Panther Version, AWS Region, and Gateway Public IP:
The footer shows values for AWS Account ID, Version, AWS Region, and Gateway Public IP.

Main Information

In this section, you can configure the following fields:
  • Company Information
    • Company Name
    • Email
  • Preferences
    • Send Product Analytics
      • This anonymized data helps us improve Panther.
    • Display UTC Time Zone
      • Show all dates and times displayed in the Console in Coordinated Universal Time (UTC). When switched off, the local time zone will be used.
    • Send Alert Assignment Emails
      • This is a global setting; it cannot be configured per-user.
    • Enable Panther Audit Logs
      • Panther audit logs provide a read-only history of activity in your Panther deployment. You can write detections on your audit logs, or query for them in your data lake, the same way you would with any other security events ingested by Panther.
      • For more information, see Panther Audit Logs.

Identity & Access

You can integrate with SAML Identity Providers (IdPs) to enable user login to the Panther Console via SSO. After setting up a SSO integration, you can optionally enforce its use for logging in. Panther integrates with the following providers:
Panther also supports integrating with any SAML IdP via the Generic SSO integration.
For more information, see SAML/SSO Integration.

Enabling or disabling Panther Support access

It may periodically be useful to grant your Panther Support team access to your Panther Console in order to investigate issues. By default, Panther employees do not have access to your Panther Console.
When you enable Panther Support access, you will also select a user role that the Panther employees will assume. Panther employees are restricted to read-only access, even if the role you assign them has modification permissions. Panther employees cannot view, edit, or create API tokens, even if the role you assign them has those permissions.
Enabling Panther Support access does not modify any access permissions in AWS. Audit logs will be generated by actions taken by Panther employees in your instance, just like they are for regular users.
To enable or disable Panther Support access:
Only users with the "Edit Settings & SAML Preferences" (also known as GeneralSettingsModify) permission can make the following changes.
  1. 1.
    In the upper-right corner of your Panther Console, click the gear icon, then General.
  2. 2.
    Click the Identity & Access tab, and locate the Support Configuration section.
  3. 3.
    Click the toggle to the right of Enable Panther employees to have read-only access to your Panther web application to ON or OFF.
    • If enabling Panther Support access, to the right of Select a role for Panther employees to use, select a role from the dropdown field.
      In the Support Configuration section, there is a toggle to enable or disable allowing Panther employees to access your account. There is also a dropdown menu to select the role that Panther employees can assume when accessing your account.
  4. 4.
    Click Save Changes.

Data Lake

Panther is configured to write processed log data to an AWS-based Snowflake database cluster. Using Panther with Snowflake enables Panther data to both integrate with your given Business Intelligence tools and to perform assessments of your organization's security posture. For more information, see Snowflake Integration.
This section in the Panther Console Settings also includes the ability to make LIMIT clauses required for scheduled queries. See the scheduled query documentation for more information.

Developer Workflow

Click the toggle next to We use the Panther Analysis Tool to manage our detections if you want to prevent users from enabling Panther Packs in the Panther Console. This helps prevent update conflicts between the Console and CI/CD workflows.
The "Developer Workflow" is also known as the CLI workflow.

User and User Role settings

View, delete, and invite users

Under Settings > Users, users with the "View Users" permission can view a list of all users in your Panther account. A user with the "Manage Users" permission can delete and invite users.

Initial login

When you invite a user to your Panther account, they receive an email with temporary credentials that they can use to sign in to the platform. After a user's initial login, they are required to update their password and set up MFA.
Panther requires a strong password:
  • Password must contain at least 1 number
  • Password must contain at least 1 symbol
  • Password must contain at least 1 lowercase character
  • Password must contain at least 1 uppercase character
  • Password must contain at least 12 characters

Configure Role-Based Access Control

Under Settings > User Roles, you can configure Role-Based Access Control (RBAC). This gives Panther deployments granular access control for its user accounts. All roles, including the three Panther default roles (Admin, Analyst, and AnalystReadOnly), are customizable by any user with UserModify permissions.
For more information, see Role-Based Access Control.

API Tokens and Playground

Under Settings > API Tokens, view a list of API tokens that have been created for your account. You can also create a new API Token.
Under Settings > API Playground, access Panther's API Playground to try out API operations.

Other Panther Console features

System Health Notifications

Panther's System Health Notifications alert you with a "System Error" when a part of the Panther platform is not functioning correctly. This includes the following types of notifications:
  • Log source health notifications
  • Log classification errors
  • Alert delivery failures
  • Cloud security scanning failures
For more information, see System Health Notifications.

Troubleshooting System Configuration

Visit the Panther Knowledge Base to view articles about system configuration that answer frequently asked questions and help you resolve common errors and issues.