Operations

Monitoring

Visibilty

Panther has 5 CloudWatch dashboards to provide visibility into the operation of the system:

  • PantherOverview An overview all errors and performance of all Panther components.

  • PantherCloudSecurity: Details of the components monitoring infrastructure for CloudSecurity.

  • PantherAlertProcessing: Details of the components that relay alerts for CloudSecurity and Log Processing.

  • PantherLogAnalysis: Details of the components processing logs and running rules.

  • PantherRemediation: Details of the components that remediate infrastructure issues.

Alarms

Panther uses CloudWatch Alarms to monitor the health of each component. Edit the deployments/panther_config.yml file to associate an SNS topic you have created with the Panther CloudWatch alarms to receive notifications. If this value is blank then Panther will associate alarms with the default Panther SNS topic called panther-alarms:

MonitoringParameterValues:
# This is the arn for the SNS topic you want associated with Panther system alarms.
# If this is not set alarms will be associated with the SNS topic `panther-alarms`.
AlarmSNSTopicARN: 'arn:aws:sns:us-east-1:05060362XXX:MyAlarmSNSTopic'

To configure alarms to send to your team, follow the guides below:

Tools

Panther comes with some operational tools useful for managing the Panther infrastructure. These are statically compiled executables for linux, mac (aka darwin) and windows. They can be copied/installed onto operational support hosts. To build:

mage build:opstools
  • requeue: a tool to copy messages from a dead letter queue back to the originating queue.

  • s3queue: a tool to list files under an S3 path and send to the log processor input queue for processing (useful for backfill of data)