Glossary
This Glossary introduces common cloud-native, security, and Panther-specific terminology.
Last updated
Was this helpful?
This Glossary introduces common cloud-native, security, and Panther-specific terminology.
Last updated
Was this helpful?
A brief and human-readable event that correlated to a programmed alarm rule to provide information about data breaches, exploits, or malicious behaviors.
The event triggered by Panther after the criteria on your rule, policy, or query is met. See Triaging Alerts for more information.
A designated location where a security alert is sent after being created.
Your selected services(s) where Panther alerts are sent, such as Jira, Slack, or PagerDuty. See for more information.
A connection between computers or applications, which defines a specific set of rules for how they communicate and interact with one another.
The is used for alert, role, and user management, and data lake querying.
Python functions that control analysis logic, generated alert title, event grouping, routing of alerts, and metadata overrides for . These functions are applicable to both and .
Panther features may go through a closed beta, open beta, or both before becoming generally available. Features in beta phases will be identified as such in release notes and on their documentation pages.
Closed Beta: In this phase, a feature is enabled for a sub-set of customers for testing and feedback. Closed beta features may be enabled for additional customers if they request access.
Open Beta: In this phase, a feature is enabled for all customers but is still undergoing development. Feedback and bug reports are greatly appreciated during this period.
Continuous integration means work is constantly merged back into a central location, and generally includes automated testing for safety purposes. Continuous deployment or delivery means work is constantly deployed into production.
A term for tools that you interact with from a command line, shell, virtual terminal, or similar interface.
Cloud-native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.
In Panther context, a Cloud Resource is an entity within your AWS account, such as an EC2 instance, S3 bucket, and IAM User. Cloud Resources are associated with an AWS account that you connected with Panther. Accessible from the Cloud Resources section of the Panther Console.
A time-based scheduler that executes one or more commands at specific dates and times.
Also known as web callbacks; a lightweight API that enables one system to forward data to another system when a specific event occurs.
The deduplication string returned by the
dedupfunctionThe deduplication period configured on a detection
Detection-as-Code is a modern, flexible, and structured approach to writing security detections that applies software engineering best practices like version control systems (VCS) to manage detections, requires testing and manual reviews for detection changes, automatically enforces these testing and standards (CI), and automatically deploys these changes (CD).
A cybersecurity solution that continuously monitors endpoint data and triggers rule-based automated responses.
A “helper” function performs one part of the computation of a larger function or program. This allows you to re-use logic defined in one place multiple times, in addition to logically separating code for better comprehension and testing.
A company that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise
Data collected that is likely to indicate a security breach or threat.
Log normalization parses and normalizes your uploaded logs for IOC (indicator of compromise) fields like domains and IPs to support efficient and effective analysis, searches, and correlations across all log types.
A cybersecurity service that continuously monitors all security data and thus allows for robust detection, monitoring, and response to limit malicious threats and breaches.
Panther’s web application. Customers can log in at [customer-URL].runpanther.net.
Non-Panther Console workflows you can use to interact with your Panther account, including CI/CD, API, Terraform, the pantherlog tool, and the Panther Analysis Tool (PAT).
A detection that has been written and is continuously maintained by Panther.
In JSON, pretty printing includes proper line breaks, indentation, white space, and overall structure.
An authorization method that assigns access based on user roles and user permissions.
Real-time rules, simply known as Rules, are used to analyze a point-in-time (single log)
Saved Search
Schemas inform Panther how to normalize data for downstream services like the detection engine and tables in the data lake.
Also known as a data lake or SDL. A centralized repository aimed at maintaining and managing all log or other data sources relevant to an organization’s security posture. An SDL can ingest data from myriad sources and can integrate with other security analytics tools to provide a single place for security data to be housed, searched, and utilized.
A SIEM collects, stores, and analyzes security data across broad networks and data sources, allowing organizations to detect and respond to escalating threats.
A collection of security management solutions that combine threat management with incident response and automated security operations.
Pronounced “sock.” A team of IT professionals tasked to monitor, analyze, and respond to security threats
An authentication process that allows a user to log in with one ID credential to access multiple separate and independent applications and services.
A consolidation of data tools to give extended visibility, analysis, and response across multiple applications.
See Panther's for information on managing detections with a CI/CD workflow.
In Panther’s context, CLI refers to tools like and pantherlog, which are distributed by Panther and executed by customers locally on their own machines.
Source:
In Panther context, an AWS account that you connect with Panther to use with . Accessible from the Cloud Accounts section of the Panther Console.
In Panther's context, a Cron Expression is used to set a defined interval while running or .
Panther’s alert destination allows you to deliver alerts to selected third-party platforms that accept webhooks.
is a Panther tool where you can view your normalized data, select rule matches, perform SQL queries, search standard fields across data, load or schedule queries, and download sharable results in a CSV file.
In Panther, refers to the process of grouping suspicious events together into a single alert to prevent receiving duplicate alerts for the same behavior that may have multiple indicators. Any event that triggers a detection is grouped together with other events that triggered the same detection and subsequent deduplication string within the designated deduplication period. This is controlled by two aspects:
Panther’s logically group detections as well as enable detection updates via the Panther Console. Panther-provided packs are defined in this open-source repository: .
Panther’s Enrichment features add important context to your detections and alerts for faster investigation workflows, enhanced detections, and reduced alert noise. Panther offers the following enrichment features: and a .
In Panther, contain python code that can be used in other types of Panther detections (such as policies, rules, and data models). These Global Helpers serve as a library of common programming patterns that you can extend and use in any of the detections you write.
Panther's integration allows you to reduce false-positive alerts by identifying opportunistic attacks allowed into your perimeter and emerging threats based on GreyNoise context data and tagging.
Panther’s allow you to add important context to your detections and alerts by enriching the events they process and contain. They help you save time by enhancing detections, reducing alert noise, and speeding up investigations for improved investigation workflows.
A of all detections developed by Panther including rules, policies, and scheduled rules.
Also known as ; an open-source utility for testing, packaging, and deploying Panther detections from source code. PAT’s intent is to enable CI/CD workflows for customers.
Panther's are Python functions that scan and evaluate cloud infrastructure configurations to identify misconfigurations and subsequently generate alerts. Policies specifically apply to cloud resources, whereas apply to security logs.
Source:
Panther's are Python functions for detecting suspicious security log activity and generating alerts.
are used to analyze aggregated or statistical data sets (many logs)
A preserved search expression. A Saved Search can be turned into a by setting it to run on a certain interval.
A detection that's associated with a . The data returned each time the search executes is run against the detection, alerting when matches are found.
A Saved Query that is scheduled to run on a designated interval. Scheduled Searches are typically associated with at least one . Scheduled Searches were formerly known as "Scheduled Queries."
A cloud-based Data Warehouse to provide unified, secure, and scalable security capabilities so businesses can eliminate blind spots and respond to threats at cloud-scale.