Quick Start

Get started with Panther in 15 minutes

To get started with Panther, you'll need:

  1. An AWS account (preferably dedicated to Panther) in a supported region

  2. An IAM user/role with permissions to create and manage the necessary resources

We've provided the following IAM roles for least privilege deployments:

The steps below use a preconfigured CloudFormation template to deploy Panther. To deploy from source, follow the instructions here.

Supported AWS Regions

Panther can be deployed to any of the following regions:

  • ap-northeast-1 (Tokyo)

  • ap-northeast-2 (Seoul)

  • ap-south-1 (Mumbai)

  • ap-southeast-1 (Singapore)

  • ap-southeast-2 (Sydney)

  • ca-central-1 (Canada)

  • eu-north-1 (Stockholm)

  • eu-west-1 (Ireland)

  • eu-west-2 (London)

  • eu-west-3 (Paris)

  • sa-east-1 (São Paulo)

  • us-east-1 (N. Virginia)

  • us-east-2 (Ohio)

  • us-west-1 (N. California)

  • us-west-2 (Oregon)

Deployment

First, navigate to the AWS CloudFormation console and create a new stack. Enter the template URL customized for your AWS region and Panther edition and version:

https://panther-<EDITION>-<REGION>.s3.amazonaws.com/<VERSION>/panther.yml

Where:

  • EDITION is community or enterprise

  • REGION is any of the supported regions

    • Be sure the template region matches the region in which you are deploying Panther

  • VERSION is the latest tagged release

For example, to deploy the latest community version in us-east-1, use the following template:

https://panther-community-us-east-1.s3.amazonaws.com/v1.14.2/panther.yml
CloudFormation Console

On the next page, choose a stack name (e.g. "panther") and configure the name and email for the first Panther user:

CloudFormation Parameters

This is the initial admin user account. You can edit the user and invite additional users after Panther is deployed. You can also set the CompanyDisplayName here if you like. All other parameters can be ignored.

On the next page, you can skip all the advanced stack settings. Acknowledge the warnings and deploy the stack.

CloudFormation Capabilities

Alternatively, you can deploy Panther using a nested stack in your own CloudFormation pipeline, using a Terraform template, or by building and deploying from source.

Using a Nested CloudFormation Stack

AWSTemplateFormatVersion: 2010-09-09
Description: My Panther deployment
Resources:
Panther:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub https://panther-community-${AWS::Region}.s3.amazonaws.com/v1.14.3/panther.yml
Parameters:
CompanyDisplayName: AwesomeCo
FirstUserEmail: user@example.com
FirstUserGivenName: Alice
FirstUserFamilyName: Jones

When deploying this template, you will need to include all capabilities:

aws cloudformation deploy --template-file template.yml --stack-name panther --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND

Using Terraform

resource "aws_cloudformation_stack" "panther" {
name = "panther"
template_url = "https://panther-community-<REGION>.s3.amazonaws.com/v1.14.3/panther.yml"
capabilities = [
"CAPABILITY_IAM",
"CAPABILITY_NAMED_IAM",
"CAPABILITY_AUTO_EXPAND"
]
parameters = {
CompanyDisplayName = "AwesomeCo"
FirstUserEmail = "user@example.com"
FirstUserGivenName = "Alice"
FirstUserFamilyName = "Jones"
}
}

First Login

Once the deployment has finished, you will get an invitation email from no-reply@verificationemail.com with your temporary login credentials. If you don't see it, be sure to check your spam folder.

By default, Panther generates a self-signed certificate, which will cause most browsers to present a warning page:

Self-Signed Certificate Warning

Your connection is encrypted, and it's generally safe to continue. However, the warning exists because self-signed certificates do not protect you from man-in-the-middle attacks; for this reason production deployments should provide their own CertificateArn parameter value.

Onboarding

Congratulations! You are now ready to use Panther. Follow the steps below to complete your setup:

  1. Invite your team in Settings > Users > Invite User

  2. Configure destinations to receive generated alerts

  3. Onboard data for real-time log analysis from S3 or SQS

  4. Write custom rules based on internal business logic

  5. Onboard AWS accounts for cloud security scans

  6. Write custom policies for supported AWS resources

  7. Enterprise Only: Query collected logs with data explorer

Removing Panther

To uninstall Panther, simply delete the main "panther" stack (substituting whatever stack name you chose during deployment). This will automatically remove everything except S3 buckets and the data they contain.

You can easily find and delete these manually, or you can run mage teardown (see development).