Background

To analyze infrastructure, Panther utilizes Python Policies to represent the desired state of a resource.

Policies work by:

  • Defining a single policy function

  • With a single resource argument

  • Returning either True if the resource is compliant or False if the resource is not compliant

Python provides high flexibility in defining your logic. Built-in Python libraries can also be loaded with import statements at the top, with support for the following 3rd party libraries:

Package

Version

Description

License

backoff

1.8.0

Backoff Decorators

MIT

boto3

1.7.74

AWS SDK for Python

Apache v2

jsonschema

3.0.1

JSON Schema for Python

MIT

policyuniverse

1.2.0.1

Parse AWS ARNs and Policies

Apache v2

requests

2.21.0

Easy HTTP Requests

Apache v2

By default, policies are loaded and enabled from Panther's curated packs. You can also write your own policies based on internal use cases.

Policy Structure

Policies contain the logic to determine vulnerable resources along with metadata and remediation settings.

Metadata

Field Name

Description

Description

Additional context on the policy

DisplayName

A human readable name for the policy

PolicyID

A unique identifier for a policy, generally in the form of Env.Service.Component

Reference

A URL explaining more details on the configuration, often site documentation

ResourceType

The type of resource(s) to analyze with the policy

Runbook

A URL to detailed instructions on how to fix the issue

Severity

The potential impact of a misconfiguration

Suppressions

Resource Id patterns to ignore in the policy

Tags

One or more categorizations of a policy

Severity Levels

Severity

Exploitability

Description

Examples

Info

None

No risk, simply informational

Name formatting, missing tags. General best practices for ops.

Low

Difficult

Little to no risk if exploited

Non sensitive information leaking such as system time and OS versions.

Medium

Difficult

Moderate risk if exploited

Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.

High

Moderate

Very damaging if exploited

Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.

Critical

Easy

Causes extreme damage if exploited

Public data or systems, leaked access keys.

Listing Policies

To view all Policies in the Panther UI, click the Policies button on the sidebar.

Policies can be filtered and sorted based on:

  • Name

  • Resource Type

  • Severity

  • Status

  • Tags

Viewing Failing Policies

Initially, a Policy's status will be Insufficient data until an event matching the given log type is analyzed. Once it's analyzed, Alerts will dispatch via the configured Output for the policy's severity and will show up in the Policy Dashboard.

To display an overview of all Failing Policies, click the Panther Icon in the top left to open the Dashboard. The Dashboard allows Policies to be sorted by Severity on the top right, to allow for easier drill-downs into failing Policies.