Self-Hosted Deployments (Legacy)

The following is legacy documentation.

Upgrades

When Panther publishes a new release, we will notify our self-hosted customers so that they can coordinate upgrades on their schedule. Upgrades should generally be straightforward, but there are a few steps to follow before and during upgrades to make sure everything goes smoothly.

Before you upgrade

Before you begin an upgrade, make sure you know what version of Panther to upgrade to. We use semantic versioning, and highly recommend not skipping minor releases. So if for example, you're on version 1.10.X and want to upgrade to version 1.13.X, we recommend first upgrading to the highest patch version of 1.11.X, then 1.12.X, and then finally 1.13.X. This ensures there are no migration issues.

Additionally, if you are using our PantherDeploymentRole to deploy Panther, make sure you update the PantherDeploymentRole to the correct version for the version of Panther you are deploying. If you are on version 1.13.X and wish to upgrade to version 1.14.X, make sure the PantherDeploymentRole is also on version 1.14.X before upgrading. Here is the PantherDeploymentRole template URL:

https://panther-public-cloudformation-templates.s3.amazonaws.com/panther-deployment-role/{version}/template.yml

While you upgrade

In order to perform the upgrade, simply find the root Panther stack in the CloudFormation console, click the Update button, select Replace template URL, and insert the TemplateURL for the desired version of Panther you wish to deploy. The template URL should be in this format:

Example

https://panther-enterprise-us-east-2.s3.amazonaws.com/v1.25.1/panther.yml

https://panther-enterprise-{region}.s3.amazonaws.com/{version}/panther.yml

You will be prompted to click through a few pages verifying your CloudFormation parameters are correct and that CloudFormation can create IAM resources and nested CloudFormation resources on your behalf.

Trigger Pulumi CodeBuild

We are migrating to Pulumi for infrastructure management - after the main Panther stack is deployed, you'll need to start a build for the panther-pulumi CodeBuild project. For example: aws codebuild start-build --project-name panther-pulumi

Available versions of Panther

We recommend not skipping minor versions of Panther while upgrading, but upgrading to the most recent patch version instead. Here are the most recent patch versions of Panther that we recommend upgrading to:

• 1.107.26

• 1.106.19

• 1.105.33

• 1.104.28

• 1.103.21

• 1.102.11

• 1.101.21

• 1.100.27

• 1.99.29

• 1.98.26

• 1.97.21

• 1.96.17

• 1.95.51

• 1.94.37

• 1.93.38

• 1.92.11

• 1.91.10

• 1.90.22

• 1.89.20

• 1.88.11

• 1.87.30

• 1.86.15

• 1.85.19

• 1.84.20

• 1.83.13

• 1.82.27

• 1.81.23

• 1.80.6

• 1.79.5

• 1.78.27

• 1.77.17

• 1.76.35

• 1.75.24

• 1.74.21

• 1.73.27

• 1.72.25

• 1.71.20

• 1.70.23

• 1.69.13

• 1.68.12

• 1.67.12

• 1.66.8

• 1.65.12

• 1.64.13

• 1.63.22

• 1.62.10

• 1.61.6

• 1.60.10

• 1.59.11

• 1.58.14

• 1.57.13

• 1.56.7

• 1.55.7

• 1.54.7

• 1.53.7

• 1.52.14

• 1.51.41

• 1.50.30

• 1.49.14

• 1.48.9

Reference

Naming the root stack

When deploying Panther, you will be provided with a template URL to a root panther stack to deploy. If you're using the PantherDeploymentRole to deploy Panther, be sure to name the root stack something with a panther- prefix. The name of the root stack will be pre-pended to any resources created by the stack, and the PantherDeploymentRole limits its access in part by restricting its permissions to only affect resources that start with the name panther-.

Configuring deployment parameters

The Panther CloudFormation stack has a number of configurable deployment parameters. Pay special attention to the following options:

• FirstUserEmail (required): a Panther admin invite will be sent to this email address. Updates to this value are ignored after the first successful deploy.

• PulumiSecretArn and PulumiSecretKeyArn (required): these values will be provided by our team - you will have a dedicated Pulumi access token in our organization.

• PulumiApiReservedConcurrency: Reserved concurrency for pulumi-api Lambda function (has no effect if EnableLambdaReservedConcurrency=false). The default value is 1, with a minimum value of 1.

• OnboardSelf: Configure Panther to automatically onboard itself as a data source. The default value is false, with allowed values of true or false.

• SentryEnvironment: This parameter is soon to be removed in favor of the new Environment flag. By default, application errors are sent to Sentry for us to triage. We strongly recommend keeping this enabled with the default value (prod), but if that's not an option for you, you can disable the Sentry integration by setting this to a blank string. Allowed values include '', ephemeral, dev, staging, and prod.

• SupportRoleIdentityAccountId: by default, a read-only SupportRole is deployed with Panther which our on-call engineers can assume to triage application errors. This role does not have access to your data and we’d encourage you to keep it enabled so we can deliver a better support experience. However, if you prefer, this role can be disabled by setting the SupportRoleIdentityAccountId to a blank string.

• OpsRoleIdentityAccountId: a non-empty value will deploy an OperationsRole with service-level admin permissions for migrations, data recoveries, and other operational emergencies. We recommend keeping this role disabled until necessary (it's off by default).

• DataLakeForwarderMemory: Memory to use for Cloud Security DataLake Forwarder lambdas. The default setting is 256, with a maximum value of 2048 and a minimum value of 256.

• MaxLookupTables: The maximum number of enabled lookup tables. The default is 30, with a minimum value of 0.

• MaxLookupTableCompressedSizeMB: The maximum size (in MB) of the gzip-compressed data backing a Lookup Table. The default setting is 8192, with a maximum value of 8192.

• MaxLookupTableRows: The maximum number of rows allowed per lookup table. The default is 200000000, with a minimum of 0.

• CloudSecurityScanSegments: Segments to use in table scans. The default setting is 5, with a minimum value of 5.

• ReplayAPIReservedConcurrency: Reserved concurrency for panther-replay-log-pusher Lambda function. The default setting is 40, with a minimum value of 0.

• EnablePantherAuditLogIngestion: Enable ingestion of Audit Logs from this instance of Panther, within this instance of Panther. The default setting is false, with allowed values of true or false.

• PantherAuditLogsExpirationDays: The expiration in days for Panther Audit Logs - applies to an S3 lifecycle policy. The default setting is 1825, with a minimum value of 30.

• SnapshotScanWindowMinutes: If non-zero, deduplicate scan requests in minutes. The default setting is 0, with a minimum value of 0.

• MessageForwarderReservedConcurrency: Reserved concurrency for panther-message-forwarder Lambda function (has no effect if EnableLambdaReservedConcurrency=false). The default setting is 50, with a minimum value of 0.

• EnableReplays: Enables or disables the ability to run replays. The default value is true, with allowed values of true or false.

• PythonRuntime: The python runtime for AWS Lambda functions. The default value is python3.7, with allowed values of python3.7 and python3.9.

• ReplayProcessorReservedConcurrency: Reserved concurrency for panther-replay-results-processor Lambda function. The default value is 40, with a minimum value of 0.

• ReplayLogPusherSqsMaximumConcurrency: The SQS maximum concurrency for the replay log pusher queues. The default value is 40, with a minimum value of 1.

• SnapshotPollerLambdaMemorySize: Snapshot Poller (Cloud Security) Lambda memory size in MB. The default value is 1024, with a minimum value of 1024 and a maximum value of 10240.

• DatadogAPIKey: API key for sending observability data to Datadog.

• DatadogAPIKeySecretArn: Secrets Manager arn for API key for sending observability data to Datadog. The default value is ", with an allowed pattern of '^(arn:(aws|aws-cn|aws-us-gov):secretsmanager:[a-z]{2}-[a-z]{4,9}-[1-9]:[0-9]{12}:secret:\S+)?$'.

• DatadogAppKeySecretArn: Secrets Manager arn for App key for setting up AWS Integration for Datadog. The default value is ", with an allowed pattern of '^(arn:(aws|aws-cn|aws-us-gov):secretsmanager:[a-z]{2}-[a-z]{4,9}-[1-9]:[0-9]{12}:secret:\S+)$'.

• DatadogExtensionVersion: The Datadog lambda extension version. The default value is 40, with allowed values of 35, 36, and 40.

• DatadogEnabled: Enables or disables Datadog monitoring. Set this to false to override all other Datadog flags and shut off Datadog monitoring completely. The default value is false, with allowed values of true or false.

• DatadogLogForwarderEnabled: Enables the creation of the Datadog Cloudwatch Logs forwarder for the account. The default value is false, with allowed values of true or false.

• DatadogLogForwarderReservedConcurrency: Reserved Concurrency setting for the Datadog Log Forwarder Lambda. The default value is 5, with a minimum value of 1.

• DatadogPythonLayerVersion: The Datadog lambda extension version. Versions allowed are current and last tested. The default value is 68, with allowed values of 62, 66, and 68.

• DatadogPythonLambdaLayerEnabled: Enables or disables sending telemetry data to Datadog via the Lambda Python layer. The default value is false, with allowed values or true or false.

• DatadogLambdaLayerEnabled: Enables or disables sending telemetry data to Datadog via the Lambda extension. The default value is false, with allowed values of true or false.

• DatadogTracingEnabled: Enables or disables Datadog Lambda Tracing. The default value is false, with allowed values of true or false.

• DatadogAWSMetricCollectionEnabled: Allow Datadog to pull CloudWatch metrics from all namespaces in an account. The default value is true, with allowed values of true and false.

• DatadogAWSCustomMetricsEnabled: Allow Datadog to pull CloudWatch metrics from custom namespaces. Has no effect if DatadogAWSMetricCollectionEnabled is false. The default value is true, with allowed values of true or false.

• EnableReports: Enable viewing reports in the Console. The default value is false, with allowed values of true or false.

• FeatureSandboxedExecFlows: Tells the detections engine which functions should use the Python executor. It is a comma delimited list. The default value is 'test-policy,test-rule,analyze-logs-with-replay'.

• EnableIntelligentTiering: Enable INTELLIGENT_TIERING on Panther manager S3 buckets. The default value is false, with allowed values of true or false.

• SnowflakeDDLUpdateConcurrency: The concurrency used when updating table/view/pipes. The default value is 1, with a minimum value of 1 and a maximum value of 100.

• EnableAlertsGSIThree: Feature flag to enable third month partition GSI. The default value is false, with allowed values of true or false.

• SnowflakeRBACSecretARN: ARN pointing at the AWS secret with config and creds for the PANTHER_RBAC Snowflake user. The default value is '' with an allowed pattern of '^(arn:(aws|aws-cn|aws-us-gov):secretsmanager:[a-z]{2}-[a-z]{4,9}-[1-9]:[0-9]{12}:secret:\S+)?$'.

• SnowflakeDataAdminSecretARN: ARN pointing at the Snowflake DataAdmin secret. The allowed pattern is ^(arn:(aws|aws-cn|aws-us-gov):secretsmanager:[a-z]{2}-[a-z]{4,9}-[1-9]:[0-9]{12}:secret:\S+)?$ and the default value is an empty string.

• DynamoDBCloudtrailEnabled: Enables/disables data access logging for specific DynamoDB tables. The default value is false, with allowed values of true or false.

• SegmentEnvironment: Segment environment type - leave blank to disable the Segment integration. The default value is prod, with allowed values of '', dev, staging, or prod. Note: Ensure the write key is defined for the env you choose.

• SlowRuleMaxUtilization: The maximum amount of time allowed for a rule to run before we trigger an alarm. The default value is 50, with a minvalue of 1.

• LambdaInsightsEnabled: Enables/disables additional metrics from Lambda Insights. The default value is false, with allowed values of true or false.

• LoadBalancerSecurityGroupCidr2: Allow HTTP(S) ingress access to the web app (ALB) security group from this additional IP block. The allowed pattern is '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/([0-9]|[1-2][0-9]|3[0-2])))?$'

• LoadBalancerSecurityGroupCidr3: Allow HTTP(S) ingress access to the web app (ALB) security group from this additional IP block. The allowed pattern is '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/([0-9]|[1-2][0-9]|3[0-2])))?$'

• SnowflakeAPISecretRotationDays: The rotation cycle in days for the Snowflake PANTHER_READONLY secret. The default value is 0, with a minimum value of 0.

• SnowflakeAdminAPISecretRotationDays: The rotation cycle in days for the Snowflake PANTHER_ADMIN secret. The default value is 0, with a minimum value of 0.

• SnowflakeManagedAdminSecretARN: Optional secret ARN for rotating the snowflake master credentials. The allowed pattern is ^(arn:(aws|aws-cn|aws-us-gov):secretsmanager:[a-z]{2}-[a-z]{4,9}-[1-9]:[0-9]{12}:secret:\S+)?$

• SnowflakeManagedAdminSecretRotationDays: The rotation cycle in days for the Snowflake. The default value is 0, with a minimum value of 0.

• SnowflakeType: The type of the data lake backend. The default value is none, with allowed values of Connected, BYOSF, Managed, Legacy SF, or none.

• SnowflakeMonitorRunFrequency: The interval, in minutes, between Snowflake data loading monitoring sweeps. The default value is 180, with a minimum value of 0 and a maximum value of 10080.

• SnowflakeWarehouseConfig: Optional JSON string with warehouse configuration settings. This should be a dictionary, each key is a warehouse name and each value an object of warehouse settings and values. The following parameters are supported: WAREHOUSE_SIZE, MAX_CLUSTER_COUNT, ENABLE_QUERY_ACCELERATION, QUERY_ACCELERATION_MAX_SCALE_FACTOR, and MAX_CONCURRENCY_LEVEL. Any fields that are unspecified are not modified. An example value is: '{"PANTHER_WH": {"ENABLE_QUERY_ACCELERATION": true, "WAREHOUSE_SIZE": "MEDIUM"}}'. The default value is an empty string.

• Created: The ISO8601 datetime that this Panther deployment was first created.

• SentryEnabled: Enable/Disable Sentry integration. The default value is true, with allowed values of true or false.

• LogProcessorLambdaReservedConcurrency: Controls how many concurrent executions the panther-log-processor Lambda (responsible for parsing logs) can have. The default value is 200.

• DetectionsEngineLambdaReservedConcurrency: Controls how many concurrent executions the panther-detections-engine Lambda (responsible for running the Detections) can have. The default value is 200.

• DetectionsEngineShortCircuitEnabled: When set to true, adds short circuiting logic to the detection engine to help reduce timeouts. The default value is true, with allowed values of true or false.

• SplitClientToken: This will allow you to access Panther's production feature flags. You must set this parameter to Panther's production key. Please contact your Panther representative for help.

• GraphApiReservedConcurrency: Reserved concurrency for panther-graph-api Lambda function. The default value is 25, with a minimum value of 0.

• MetricsApiReservedConcurrency: Reserved concurrency for panther-metrics-api Lambda function. The default value is 40, with a minimum value of 0.

• OpsToolsReservedConcurrency: Reserved concurrency for panther-ops-tools Lambda function. The default value is 3, with a minimum value of 0.

• TokenAuthorizerReservedConcurrency: Reserved concurrency for panther-token-authorizer Lambda function. The default value is 15, with a minimum value of 0.

• TokenAuthorizerProvisionedConcurrency: Provisioned concurrency for panther-token-authorizer Lambda function. The default value is 0, with a minimum value of 0.

• WebhooksApiReservedConcurrency: Reserved concurrency for panther-alert-webhooks-api Lambda function (has no effect if EnableLambdaReservedConcurrency=false). The default value is 40, with a minimum value of 0.

• AlertInfoWatcherReservedConcurrency: Reserved concurrency for panther-info-watcher Lambda function (has no effect if EnableLambdaReservedConcurrency=false). The default value is 40, with a minimum value of 0.

• Environment: The environment this Panther deployment is running in. The default value is prod, with allowed values of '', ephemeral, dev, staging, or prod.

• EnableExperimentalCrowdstrikeParsing: Enables or disables the experimental Crowdstrike parsing configuration. The default value is false, with allowed values of true or false.

• WAFEnabled: Enable/Disable AWS WAF for LoadBalancer traffic. The default value is false, with allowed values of true or false.

• AlertsOpenSearchProtected: Protects alerts opensearch from being deleted unexpectedly. The default value is true, with allowed values of true or false.

• CloudPullingInVPC: If set to true, the cloud-puller will run inside the VPC and talk to a third party API through a gateway. The default value is false, with allowed values of true or false.

• LogPullingInVPC: If set to true, the log-puller will run inside the VPC and talk to a third party API through a gateway. The default value is true, with allowed values of true or false.

• EnableAlertsOpenSearch: Enables/disables the alerts opensearch. The default value is false, with allowed values of true or false.

• AlertsOpenSearchAlertIndexName: Name for the Alerts OpenSearch index. The default value is alerts.

• AlertsOpenSearchDetectionErrorIndexName: Name for the Detection Errors OpenSearch index. the default value is detectionerrors.

• AlertsOpenSearchSystemErrorIndexName: Name for the System Errors OpenSearch index. The default value is systemerrors.

• ProcessedDataBucketRetentionDays: Retention period (in days) for S3 processed data bucket - temporary storage. The default value is 15, with a minimum value of 1.

• EnableLambdaProvisionedConcurrency: Provision Lambda concurrency for some core Panther services. The default value is false, with allowed values of true or false.

• EnableHttpIngest: Enable/disable HTTP ingest infra creation. The default value is false, with allowed values of true and false.

• HttpIngestForwarderReservedConcurrency: Reserved concurrency for http-ingest-forwarder Lambda function (has no effect if EnableLambdaReservedConcurrency=false). The default value is 100, with a minimum value of 1.

• EnrichmentAuthoritative: Make enrichment processor authoritative for sending processed logs to the processed data bucket. The default value is true, with allowed values of true or false.

• EnableLogEnrichment: Enable log enrichment for the panther instance by routing processed log data through the enrichment processor. The default value is true, with allowed values of true or false.

• EnableAlertsIndicatorIngestion: Toggles S3 event triggers and lambda to ingest alert event indicators into ddb. The default value is false, with allowed values of true or false.

• FIPSEnabled: Enable FIPS compliance. The default value is false, with allowed values of true or false.

• EnrichedLogTypes: Tells the enrichment processor which log types to enrich and which to pass through. This has type CommaDelimitedList, and the default value is ''.

• MitreCommit: Commit to pull MITRE matrix definitions into panther. The default value is 6747d3b032245f9c4c25224348b7d00865cab064.

• MitreVersionURL: MITRE changelog associated with the commit. The default value is https://attack.mitre.org/resources/updates/updates-april-2022/index.html.

• AllLambdasInVPC: Deploy all Lambdas inside of the panther-vpc. Cost-prohibitive, so this is opt-in. The default value is false, with allowed values of true or false.

• AlertsOpenSearchInstanceType: Instance type for Alerts Opensearch. The default value is ''.

• LogSourceLimit: Maximum number of log sources a Panther instance will support. The default value is 250.

• EnableComplianceAggregation: Enable use of compliance aggregation logic. The default value is false, with allowed values of true or false.

• ComplianceAggregationRefreshVersion: Change this value to trigger a refresh of the compliance aggregation table. The default value is 0, and the type is String.

• LambdaCloudTrailEnabled: Enables/disables data access logging for Lambda functions. The default value is false, with allowed values of true or false.

• LogProcessorPollIntervalMinutes: How often the log processor polls SQS for files. DO NOT CHANGE THIS UNLESS YOU KNOW WHAT YOU ARE DOING! The default value is 1, with a minimum value of 1 and maximum value of 15.

• ComplianceAggregationMaxDelay: The number of seconds to delay triggering the lambda when a dynamo stream event is detected. The default value is 90.

• AlertsIndicatorIngestionWorkerCount: Number of workers writing in parallel to the alerts indicators DDB. The default value is 10, with a minimum value of 1.

• AlertsIndicatorIngestionSQSMaxConcurrency: Number of concurrent lambdas. The default value is 2, with a minimum value of 1.

• AlertsIndicatorIngestionSQSBatchSize: Number of files to process per invocation. The default value is 10, with a minimum value of 1.

• AlertsIndicatorIngestionWorkerCount: Number of workers writing in parallel to the alerts indicators DDB. The default value is 5, with a minimum value of 1.

• DetectionsEngineSQSBatchParams: Parameters for the detections engine SQS batching condensed into a list to work around CFN param limit. The type is CommaDelimitedList, and the default value is 5,30,1000,60.

• DebugDetectionsEngine: Toggle debug logging for detections-engine and python-executor. The default value is false, with allowed values of true or false.

• Debug: Toggle debug logging for all components except detections-engine and python-executor. The default value is false, with allowed values of true or false.

• IngestMonthlyQuotaBytes: The purchased monthly quota in bytes. The default value is 0.

• LogProcessorEnableSourceFileInfo: Enables tracking of source file information for processed logs. The default value is true, with allowed values of true or false.

• LogPullerLambdaMemorySize: Log puller Lambda memory allocation. Increase to eliminate out-of-memory errors or reduce processing time (in exchange for higher cost). The default value is 2048, with a minimum value of 2048 and a maximum value of 10240.

• EnableDeploymentDebugLogging: Toggles debug logging for the deployment system. The default value is false, with allowed values of true or false.

• VpcID: If provided, make sure to also provide your own CIDR values (so that Panther's defaults aren't used).

  • A default VPC CIDR of 10.0.0.0/16 is used for the following public and private subnets:

    • SubnetOneIPRange: A valid & available IP range in the existing VPC you plan to deploy Panther into. Used by the load balancer. The default value is 10.0.0.0/26.

    • SubnetTwoIPRange: A second valid & available IP range in the existing VPC you plan to deploy Panther into, for multiple AZ redundancy. Used by the load balancer. The default value is 10.0.0.64/26.

    • LambdaSubnetOneIPRange: A valid & available IP range in the existing VPC you plan to deploy Panther into. Used by the VPC lambdas. The default value is 10.0.0.128/26.

    • LambdaSubnetTwoIPRange: A second valid & available IP range in the existing VPC you plan to deploy Panther into, for multiple AZ redundancy. Used by the VPC lambdas. The default value is 10.0.0.192/26.

  • A default IPv4 CIDR allocation of 10.1.0.0/16 is used for the following Airgap Subnets:

    • AirgapSubnetOneIPRange: A valid & available IP range in the existing VPC you plan to deploy Panther into. Used by the VPC lambdas. The default value is 10.1.0.0/26.

    • AirgapSubnetTwoIPRange: A second valid & available IP range in the existing VPC you plan to deploy Panther into, for multiple AZ redundancy. Used by the VPC lambdas. The default value is 10.1.0.64/26.

• SnowflakeEdition: Edition of the Snowflake instance. The default is standard.

Panther has a number of other configuration options besides the ones listed above. We recommend not setting any of these parameters on the first deployment of Panther. If any step of the initial deployment fails, the entire deployment will fail and rollback deleting all infrastructure. After you complete the initial deployment of Panther, you can update the stack with different root parameters. Then if any of these settings cause a deployment failure, Panther will simply roll back to the previous settings without needing an entire fresh deployment. This includes parameters like the snowflake and custom domain configuration parameters.