Knowledge Base Community Release Notes Request Demo

Overview
Quick Start
- Success Schema
Data Sources & Transports
Detections
Cloud Security Scanning
- Cloud Resource Attributes
  - AWS
    ACM Certificate
    CloudFormation Stack
    CloudWatch Log Group
    CloudTrail
    CloudTrail Meta
    Config Recorder
    Config Recorder Meta
    DynamoDB Table
    EC2 AMI
    EC2 Instance
    EC2 Network ACL
    EC2 SecurityGroup
    EC2 Volume
    EC2 VPC
    ECS Cluster
    EKS Cluster
    ELBV2 Application Load Balancer
    GuardDuty Detector
    GuardDuty Detector Meta
    IAM Group
    IAM Policy
    IAM Role
    IAM Root User
    IAM User
    KMS Key
    Lambda Function
    Password Policy
    RDS Instance
    Redshift Cluster
    Route 53 Domains
    Route 53 Hosted Zone
    S3 Bucket
    WAF Web ACL
Alerts & Destinations
Investigations & Search
Enrichment
System Configuration
Panther Developer Workflows
Resources
- Training Video Library
- Help

Powered by GitBook

#1935: [1.78] Add filtering section

Change request updated 1 year ago

On this page

Onboarding Data
Required
Recommended
Detection Management
Panther Console
Panther Developer Workflows
Destination and Alert Management
Required
Additional Resources
Incident Investigation and Data Analysis
Required
Additional Resources
Enrichment
Recommended
Additional Resources

Was this helpful?

Quick Start

Success Schema

Enable, Configure and Detect with Panther

PreviousQuick Start NextData Sources & Transports

Last updated 2 years ago

Was this helpful?

Now that you’ve reviewed the Quick Start guide and have access to your account’s Panther Console, it’s time to get fully onboarded to start generating alerts and investigating incidents. This checklist will walk you through the steps needed to make the most of Panther’s features.

Please note that you will need to make a decision between managing your detections using the Panther Console or outside of the console using the Panther Analysis Tool. We will help you understand your options and make the initial choice that’s best for your team.

If you need support, please reach out to your Panther account team.

This page may be viewed and downloaded as a PDF by .

Onboarding Data

The first thing you should do is onboard your data sources and start ingesting logs. Please review our for instructions on ingesting logs from common data sources, configuring data mapping for custom log sources, and ensuring you have a healthy data pipeline feeding into Panther.

Required

Onboard logs with Panther-supported schemas
Set up data pipeline health alerts
- Set up an alert destination to receive

Recommended

Create custom schemas for custom log types
Set up cloud scanning

Detection Management

Now that your data is flowing into Panther, it’s time to create your detections. You can create and manage detections in the Panther Console or by using developer workflows with the Panther Analysis Tool (PAT). We have specific checklists for using each option following the descriptions below.

Panther Console

You can leverage the Panther Console to fully customize your security program through out-of-the-box Detection Packs, as well as the option to create and customize detections to leverage the power of detections-as-code from one place.

Panther Developer Workflows

We strongly advise against using Detection Packs in the Panther Console if you are also using Developer Workflows such as PAT. Managing detections via both methods at the same time will result in unexpected behavior.

Don’t forget about Alert Destinations!

Detection management in the Panther Console

Required

Review and Activate Detection Packs

Recommended

Configure and Customize Rules
- Scheduled Rules require Scheduled Queries (see Incident Investigations below)
- Policies require having a Cloud Account configured
Set Up Real-Time Cloud Security Monitoring
Test your Detections

Additional Options

Detection Management Using PAT for CI/CD Workflows

Use these resources to set up the Panther Analysis Tool (PAT) for developer workflows, including CI/CD.

Required

Recommended

If you are already managing detections in the Panther Console and wish to migrate to a CI/CD workflow, follow the migration steps.

Additional Resources

Destination and Alert Management

Follow the resources below to enhance your detection and response capabilities.

Required

Configure your Alert Destination
Triage Detection Alerts and analyze related events in the Panther Console
- Triaging Alerts
- Alert Summaries
Configure Alert Runbooks

Additional Resources

Incident Investigation and Data Analysis

Having all of your data readily available for search and investigation is critical for efficient threat hunting and incident triage.

Use Panther’s Indicator Search and Data Explorer features to save precious time in your incident response process and conduct a thorough analysis and investigation review.

Required

Search IOCs and standard data fields
Execute SQL in the Data Explorer and view results
Set Up Scheduled Queries
Triage Policy findings and view resource attributes

Additional Resources

Enrichment

Alert noise and false positives are often the most significant challenges that security teams face with security information and event management (SIEM).

Leverage Panther’s built-in enrichment features to add valuable context to your Alerts and create more robust Detections to keep your team focused on critical alerts (reducing alert fatigue) by ruling out internet background noise in your detection and alerting logic.

Recommended

Create Lookup Tables to add context to your detections and alerts
Configure enrichment data sources to reduce false positive alerts and enhance detections

Additional Resources

Panther offers different options for leveraging the detections in the panther-analysis GitHub repository as part of your developer workflow, allowing .

Please note that while Panther’s detection engine may be running in your account, you will not receive alerts to external applications until you for them. Without a destination configured, your alerts will only be visible within the Panther Console.

Review within Detection Packs to ensure that your detections fit your needs.

Follow the to get started and keep up with Panther-built Detections

Once you have data in Panther and your detections are enabled, the next step is to set up your Alert Destinations to begin receiving alerts. See this Panther blog post to learn about the value of real-time alerting:

Panther detections to be deployed via Continuous Integration and Continuous Deployment (CI/CD)

Detection Packs

Create Real-Time Rules

Create Policies

Review and leverage Panther Helper Functions

CI/CD for Panther Content documentation

Using the Panther detections repo

Deployment workflows using Panther Analysis Tool

Video: Writing Custom Python Detections with Panther

Video: Writing Custom Python Detections with Panther, Part II

Video: Real-Time Alerts With Unified Data Models

Detect Everything, Real-Time Alerts As Needed

Blog: Triage Alerts Faster with Alert Summaries

Blog: Activate Security Automation with Alert Context

Indicator Search

Scheduled queries

Cloud resource attributes

Webinar: How to Detect and Investigate Threats with Panther

Blog: Find Patterns Quickly with Indicator Search Drill Down

Blog: Advanced Detections with Scheduled Queries

Blog: Improve detection fidelity and alert triage with Lookup Tables in Panther

Blog: Reduce false positives with GreyNoise threat intelligence in Panther

configure destinations

Data Sources & Transports documentation

Data Transports

system health notifications

Monitoring log sources

Custom log types

Cloud security scanning

Migrating to a CI/CD Workflow

how to disable and enable individual detections

Real-Time Monitoring

Create Scheduled Rules

Generate schemas from S3 buckets