Real-Time Rules that analyze data as soon as it's sent to Panther
Scheduled Rules that run after a SQL query has been executed
Policies that detect insecure cloud resources
Each detection type is written in Python and sends alerts to detect suspicious behavior or insecure infrastructure. Similar concepts are applied to each detection type and the docs in this section will outline those features.
Panther detections can be created and managed in two different ways:
In the Panther Console by navigating to Detections in the left-side navigation. These can be supplemented with Panther-managed detections from Packs.
Learn more about managing Panther detections using a Continuous Integration and Continuous Deployment workflow in our CI/CD Guide.
We do not recommend using both the Console and Panther Analysis Tool to manage detections because of complexity and potential issues. We also do not recommend the use of Detection Packs by customers using CLI workflows.
There are many standards on what different severity levels should mean, and in Panther, we recommend severities on this table:
No risk, simply informational
Gaining operational awareness.
Little to no risk if exploited
Non-sensitive information leaking such as system time and OS versions.
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Causes extreme damage if exploited
Public data/systems available, leaked access keys.
Use this as a reference point to create your own standards.