# Onboarding Guide

## Overview

Onboarding in Panther includes setting up log sources, detections, and alert destinations, as well as familiarizing yourself with search tools and optionally enabling enrichment capabilities. This guide explains how to complete each of these tasks.

If you need help while onboarding, please reach out to your Panther support team.

## Prerequisite

* You have successfully logged in to your Panther Console.

## Step 1: Onboard log sources

The first step in configuring your Panther environment is to onboard log sources, which provide data to Panther to analyze and store. After identifying valuable sources, you'll onboard each one.

### Step 1.1:  Identify log sources to onboard

Consider the log-emitting systems in your environment that you'd like to monitor for security. It's recommended to onboard enough sources to come close to your allowed ingest volume. You can use [log filtering](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/ingestion-filters/raw-event) if you would only like to ingest *some* logs from a certain source into Panther.

If you need some ideas of where to get started, review the [Supported Logs](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/supported-logs) list. You can also onboard completely [custom sources](https://docs.panther.com/data-onboarding/custom-log-types).

### Step 1.2: Onboard each log source

For each of the log sources you've identified as wanting to ingest:

* If the log source is one of Panther's [supported sources](#supported-logs), onboard it by following the instructions on its documentation page.
* If the log source is not one of Panther's [supported sources](#supported-logs):
  1. If the source is able to emit event webhooks:

     <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>If the source is high-volume (emits at least one GB per hour) and/or its <a href="../../data-onboarding/data-transports/http#payload-requirements">payload size exceeds the HTTP payload limit</a>, skip to the next step.</p></div>

     1. Onboard the source by following the [HTTP Source creation instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-transports/http#how-to-set-up-an-http-log-source-in-panther).
     2. Follow the [instructions to infer a custom schema from HTTP data received in Panther](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/custom-log-types#http-data-received-in-panther).
  2. If the source is not able to emit event webhooks but can export events to an S3 bucket:
     1. Onboard the source by following the [S3 Source creation instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-transports/aws/s3#how-to-pull-logs-from-aws-s3-buckets-into-panther).
     2. Follow the instructions to infer a custom schema in one of the following ways:
        * [From S3 data received in Panther](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/custom-log-types#s3-data-received-in-panther)
        * [From historical S3 data](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/custom-log-types#historical-s3-data)
  3. If the source is not able to emit event webhooks nor export events to an S3 bucket, but can export events to one of the other [Data Transport](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-transports) locations Panther can pull from, e.g., [Google Cloud Storage](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-transports/google) or [Azure Blob Storage](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-transports/azure-blob-storage):
     1. Define a custom schema in one of the following ways:
        * [Inferring from sample logs in the Console](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/custom-log-types#sample-logs)
        * [Inferring using pantherlog `infer`](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/pantherlog#infer-generate-a-schema-from-json-log-samples)
        * [Creating one manually in the Console](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/custom-log-types#manually)
     2. Onboard the source by following the instructions within the [documentation for your chosen Data Transport](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-transports).
  4. If the source is not able to emit event webhooks nor export events to any of Panther's [Data Transport](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-transports) sources, see Panther's [Data Pipeline Tools](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/data-pipeline-tools) guides or reach out to your Panther support team for assistance in connecting your data to Panther.

These Step 1.2 instructions are also represented in the flow chart below:

<div data-full-width="true"><figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fn5qy1EQKWVbMes3j2mAN%2F10.18.23_log_source_onboarding_flowchart.png?alt=media&#x26;token=94548e70-85e3-43e4-9075-caa630be724d" alt="This flow chart diagram shows how to onboard a given log source depending on characteristics of the source, like whether it can emit webhook events or export events to S3."><figcaption></figcaption></figure></div>

### (Optional) Step 1.3: Onboard AWS account(s) for Cloud Security Scanning

If you use AWS as a cloud provider, you can use Panther's [Cloud Security Scanning](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/cloud-scanning) feature to monitor the configurations of your cloud resources.

* If you'd like to use Cloud Security Scanning, [onboard one or more AWS accounts by following these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/cloud-scanning#onboarding-a-cloud-account-in-the-panther-console).

{% hint style="info" %}
**Log sources: Go further**

* Learn how to [monitor the health of your log sources](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/monitoring-log-sources).
* Learn about [field discovery](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/custom-log-types#enabling-field-discovery) for custom log sources.
* If you created any [custom schemas](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/custom-log-types#how-to-define-a-custom-schema), designate fields as [Indicator Fields](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/search/panther-fields#indicator-fields) to enable cross-log search and detections.
  {% endhint %}

## Step 2: Create or enable detections

Now that your data is flowing into Panther, it's time to configure detections. First, you'll choose whether to manage detection content in the Panther Console or CLI workflow. Then, for each source, you'll enable Panther-managed detections or create your own.

After you have created or enabled detections, alerts for matches will be visible in your Panther Console and queryable via the Panther API—but you will not receive alerts in external applications until you complete the [next step](#step-3-configure-alert-destinations), to set up alert destinations.

### Step 2.1: Choose the Console or CLI workflow for detection management

Decide whether you'd like to manage detection content in the Panther Console or in the CLI workflow (performing uploads using the [Panther Analysis Tool \[PAT\]](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd/deployment-workflows/pat), perhaps in a [CI/CD](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd) pipeline). Detection content includes detection packs and individual detections (rules, scheduled rules, and policies), as well as data models, global helpers, lookup tables, saved searches, and scheduled searches. Managing detection content in both the Console and CLI workflows is unsupported.

You might choose to use the CLI workflow if your team is comfortable using git, command line tools, and CI/CD pipelines. Otherwise, it's recommended to use the Panther Console.

{% hint style="info" %}
Panther's [Simple Detections](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections#simple-detections) functionality aims to eventually integrate the Console and CLI workflows. Currently, if your team uses the CLI workflow to manage detection content, the changes made to detections using the [Simple Detection builder](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/simple-detection-builder) in the Console will still be overwritten on next upload (except for [Inline Filters](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/inline-filters) created in the Console, which will be preserved).
{% endhint %}

### Step 2.2: Create or enable rules and scheduled rules for each log source

For each log source you onboarded to Panther in the previous step, you will enable Panther-managed detections or create your own. If the source is one of Panther's [Supported Logs](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/supported-logs), follow the [Supported logs section below](#supported-logs). Otherwise, follow the [Custom logs section](#custom-logs).

#### Supported logs

* If the source is one of Panther's [Supported Logs](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/data-onboarding/supported-logs):
  * Enable a Panther-managed Detection Pack for the source. See the instructions below for enabling a Detection Pack in the Panther Console and in the CLI workflow.
  * If you already enabled a Detection Pack for this log source during onboarding (on the final "Success!" page), move on to the next log source.

{% tabs %}
{% tab title="Console" %}

#### Enable a Panther-managed Detection Pack in the Console

* Follow [these instructions to enable a Panther-managed Detection Pack](https://docs.panther.com/detections/panther-managed/packs#enabling-and-disabling-detection-packs) for the source.

Go further:

* Learn [how to customize a Panther-managed detection](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/panther-managed#how-to-customize-a-panther-managed-detection).
* Create additional, custom detections for this source.
  {% endtab %}

{% tab title="CLI" %}

#### Enable a Panther-managed Detection Pack in the CLI workflow

1. If you have not done so already, [follow these instructions](https://docs.panther.com/panther-developer-workflows/ci-cd/detections-repo) to clone or fork the [panther-analysis repository](https://github.com/panther-labs/panther-analysis/tree/master) of detections.
2. Within the [rules directory of your copy of the panther-analysis repository](https://github.com/panther-labs/panther-analysis/tree/master/rules), locate the directory for this source, which contains Panther-managed rules and (possibly) scheduled rules.
3. For each Panther-managed rule and scheduled rule that you would like to enable, in the detection's corresponding YAML file, set:

   ```yaml
   Enabled: True
   ```
4. If there are any rules or scheduled rules in the source's directory that you would not like enabled, in the detection's corresponding YAML file, set:

   ```yaml
   Enabled: False
   ```
5. Upload your detections to Panther manually using [PAT](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd/deployment-workflows/pat), or [configure your CI/CD pipeline](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd) to upload detection content with PAT.

Go further:

* Create additional, custom detections for this source.
  {% endtab %}
  {% endtabs %}

#### Custom logs

* If the source is a custom log source:
  * Create your own detections. See the instructions below for creating detections in the Panther Console and in the CLI workflow. While creating detections:
    * Consider leveraging Panther-managed [helper functions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/python/globals), or creating your own.
    * Create [tests](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/testing).

{% tabs %}
{% tab title="Console" %}

#### Create rules and scheduled rules in the Console

* Create one or more rules for the log source.
  * [To create a Python rule, follow these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/python#creating-a-rule-in-python-in-the-console).
  * [To use the Simple Detection builder, follow these instructions.](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/simple-detection-builder#how-to-create-a-rule-in-the-simple-detection-builder)
* If necessary, create one or more Scheduled Rules for the log source by [following these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/python#creating-a-scheduled-rule-in-python-in-the-console).
  {% endtab %}

{% tab title="CLI" %}

#### Create rules and scheduled rules in the CLI workflow

1. If you have not done so already, [follow these instructions](https://docs.panther.com/panther-developer-workflows/ci-cd/detections-repo) to clone or fork the [panther-analysis repository](https://github.com/panther-labs/panther-analysis/tree/master) of Python detections.
2. Write one or more rules for the log source:
   * [To write a Python rule, follow these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/python#creating-a-rule-in-python-in-the-cli-workflow).
   * [To write a Simple Detection rule, follow these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/writing-simple-detections#how-to-create-a-simple-detection-rule-in-yaml).
3. If necessary, write one or more Scheduled Rules for the log source by [following these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules/python#creating-a-scheduled-rule-in-python-in-the-cli-workflow).
4. Upload your detections to Panther manually using [PAT](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd/deployment-workflows/pat), or [configure your CI/CD pipeline](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd) to upload detection content with PAT.
   {% endtab %}
   {% endtabs %}

### (Optional) Step 2.3: Create or enable policies for each Cloud Security Scanning account

If you onboarded one or more AWS accounts for [Cloud Security Scanning](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/cloud-scanning), enable Panther-managed policies, or create your own.

{% tabs %}
{% tab title="Console" %}

#### Enable Panther-managed Policies in the Console

* Enable the [Panther Core AWS Pack](https://github.com/panther-labs/panther-analysis/blob/13e49e6589b1160928ec85678884da0e72e986f3/packs/aws.yml) in the Panther Console. Note that in addition to Policies, this pack includes rules, helpers, and data models.
  * [See instructions for enabling Packs in the Console here](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/panther-managed/packs#enabling-and-disabling-detection-packs).

#### Create Policies in the Console

* To create Policies in the Console, [follow these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/policies#how-to-write-policies-in-the-panther-console).
  {% endtab %}

{% tab title="CLI" %}

#### Enable Panther-managed Policies in the CLI workflow

* If you have not done so already, [follow these instructions](https://docs.panther.com/panther-developer-workflows/ci-cd/detections-repo) to clone or fork the [panther-analysis repository](https://github.com/panther-labs/panther-analysis/tree/master) of Python detections.
* Within the [policies directory of your copy of the panther-analysis repository](https://github.com/panther-labs/panther-analysis/tree/master/policies), identify the directories of interest to you, i.e., the directories covering AWS resources you are interested in monitoring.
* In each directory of interest, for each Panther-managed policy that you would like to enable, set the following in the detection's corresponding YAML file:

  ```yaml
  Enabled: True
  ```
* In each directory of interest, if there are any policies in the directory that you would not like enabled, set the following in the detection's corresponding YAML file:

  ```yaml
  Enabled: False
  ```
* Upload your detections to Panther manually using [PAT](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd/deployment-workflows/pat), or [configure your CI/CD pipeline](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd) to upload detection content with PAT.

#### Create Policies in the CLI workflow

* To write Policies in the CLI workflow, [follow these instructions](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/policies#how-to-write-a-policy).
  {% endtab %}
  {% endtabs %}

{% hint style="info" %}
**Detections: Go further**

* If you are using the CLI workflow, [configure your CI/CD pipeline to upload to Panther](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/panther-developer-workflows/ci-cd).
* Use [Data Replay](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/testing/data-replay) to check that your detections match when expected.
* If you onboarded an AWS account for Cloud Security Scanning, set up [real-time monitoring](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/cloud-scanning#real-time-monitoring).
  {% endhint %}

## Step 3: Configure alert destinations

Set up [alert destinations](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/alerts/destinations) to receive alerts in locations outside of your Panther Console.&#x20;

### Step 3.1: Identify where you want to receive Panther alerts

Where is the best place for your team to receive Panther alerts? Does it make sense to configure multiple destinations, and route alerts of different [severities](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules#alert-severity) to different locations?

If you need some ideas to get started, check out the list of supported destinations on the [Alert Destinations](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/alerts/destinations) page. You can also create [custom destinations](https://docs.panther.com/alerts/destinations#setting-up-destinations-that-are-not-natively-supported).

### Step 3.2: Set up destinations

For each alert destination you'd like to set up:

* If the destination is one of the [destinations natively supported by Panther](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/alerts/destinations), follow the setup instructions specific to that destination.
* If the destination is not natively supported by Panther:
  * If the destination can receive HTTP `POST` requests containing a `JSON` payload, follow the [instructions to use a Custom Webhook Destination](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/alerts/destinations/custom_webhook).
  * Alternatively, consider polling the Panther API for new alerts on a schedule. [Learn more about this option here](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/alerts/destinations#panthers-api).

### Step 3.3: Ensure at least one destination is receiving System Errors

System Errors notify users when some part of their Panther workflow is not functioning correctly, such as log sources turning unhealthy or alerts failing to deliver. Learn more about System Errors on [System Health Notifications](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/system-configuration/notifications/system-errors).

When setting up each alert destination, you'll select the **Alert Types** sent to that destination, shown below. It's strongly recommended to configure at least one alert destination to receive System Errors.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FLnHGrtkk2ilD9yo815VB%2FScreenshot%202023-09-25%20at%201.45.30%20PM.png?alt=media&#x26;token=34c9c16a-a920-435c-9d22-0839950c50ec" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Alert destinations: Go further**

* Learn how to triage alerts in Panther on [Assigning and Managing Alerts](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/alerts/alert-management).
  {% endhint %}

## Step 4: Learn how to use search tools

Before it's time to investigate a security incident, you'll want to be comfortable using Panther's [search tools](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/search).&#x20;

* Practice creating filters and executing a search in the [Search](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/search/search-tool) tool.
* If you are comfortable writing SQL, practice running queries in [Data Explorer](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/search/data-explorer).
  * See example queries in [Data Explorer Query Examples](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/search/data-explorer/example-queries).

{% hint style="info" %}
**Search: Go further**

* Create a [Scheduled Search](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/search/scheduled-searches#how-to-create-a-scheduled-query), on top of which you can create a [Scheduled Rule](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/detections/rules#how-to-write-scheduled-rules).
  {% endhint %}

## (Optional) Step 5: Set up Enrichment

Panther's [Enrichment](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment) features can add useful context to log events, enabling you to write higher fidelity detections and generate more informative alerts. These features include:

* Panther-managed Enrichment Providers like [IPinfo](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment/ipinfo), [Tor Exit Nodes](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment/tor-exit-nodes), and [Anomali ThreatStream](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment/anomali-threatstream)
* [Identity Provider Profiles](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment/profiles) like [Okta Profiles](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment/profiles/okta) and [Google Workspace Profiles](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment/profiles/google-workspace)
* [Lookup Tables](https://docs.panther.com/~/changes/Cd1BxbxeaFl8dlynhNpt/enrichment/lookup-tables) containing custom data

For each of the above features, determine whether you would like to enable them, and if so, follow the set up instructions on their respective pages.