Quick Start

Get started with Panther in 15 minutes

Before installing Panther, make sure to have an AWS account and the proper permissions to set up the various components.

We recommend deploying Panther into its own dedicated AWS account.

Deployment IAM Role

To ensure least privilege (and extra security!) you can use the deployment IAM Roles provided below:

This role can be passed to the CloudFormation stack prior to continuing the installation process.

Launching the Stack

Navigate to AWS CloudFormation and create a new stack:

CloudFormation Create Stack

When specifying the template, use the following URL to install the latest community edition in the us-east-1 region:

https://panther-community-us-east-1.s3.amazonaws.com/v1.17.0-RC/panther.yml

The template URL is of the following form:

https://panther-<EDITION>-<REGION>.s3.amazonaws.com/<VERSION>/panther.yml

Be sure the template region matches your deployment region

CloudFormation Console

On the next page, choose a stack name (e.g. "panther") and configure the name and email for the first Panther admin user:

You can invite additional users after the deployment is complete.

CloudFormation Parameters

Acknowledge the Capabilities and deploy the stack:

CloudFormation Capabilities

You may also deploy Panther using CICD workflows such as nested CloudFormation stacks, Terraform templates, or by building and deploying from source.

Using a Nested CloudFormation Stack

To add Panther to your internal CloudFormation pipeline, use the nested stack template below:

AWSTemplateFormatVersion: 2010-09-09
Description: My Panther deployment
Resources:
Panther:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub https://panther-community-${AWS::Region}.s3.amazonaws.com/v1.17.0-RC/panther.yml
Parameters:
CompanyDisplayName: AwesomeCo
FirstUserEmail: [email protected]
FirstUserGivenName: Alice
FirstUserFamilyName: Jones

When deploying this template, you will need to include all capabilities:

aws cloudformation deploy \
--template-file template.yml \
--stack-name panther \
--capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND

Using Terraform

To add Panther to your internal Terraform pipeline, use the template below:

resource "aws_cloudformation_stack" "panther" {
name = "panther"
template_url = "https://panther-community-<REGION>.s3.amazonaws.com/v1.17.0-RC/panther.yml"
capabilities = [
"CAPABILITY_IAM",
"CAPABILITY_NAMED_IAM",
"CAPABILITY_AUTO_EXPAND"
]
parameters = {
CompanyDisplayName = "AwesomeCo"
FirstUserEmail = "[email protected]"
FirstUserGivenName = "Alice"
FirstUserFamilyName = "Jones"
}
}

First Login

Once the deployment has finished, you will get an invitation email from [email protected] with your temporary login credentials. If you don't see it, be sure to check your spam folder.

You can use these temporary credentials to login and setup MFA:

Login Screen

Certificate Warning

By default, Panther generates a self-signed certificate for the web UI, which will cause most browsers to present a warning page:

Self-Signed Certificate Warning

Your connection is encrypted, and it's generally safe to continue. However, the warning exists because self-signed certificates do not protect you from man-in-the-middle attacks; for this reason production deployments should provide their own CertificateArn parameter value.

Data Onboarding

Congratulations! You are now ready to use Panther. Follow the steps below to start analyzing data:

  1. Invite your team in Settings > Users > Invite User

  2. Configure destinations to receive generated alerts

  3. Onboard data for real-time log analysis from S3 or SQS

  4. Write custom rules based on internal business logic

  5. Onboard AWS accounts for cloud security scans

  6. Write custom policies for supported AWS resources

  7. Enterprise Only: Query collected logs with data explorer

Supported AWS Regions

Panther can be deployed to any of the following regions:

  • ap-northeast-1 (Tokyo)

  • ap-northeast-2 (Seoul)

  • ap-south-1 (Mumbai)

  • ap-southeast-1 (Singapore)

  • ap-southeast-2 (Sydney)

  • ca-central-1 (Canada)

  • eu-central-1 (Frankfurt)

  • eu-north-1 (Stockholm)

  • eu-west-1 (Ireland)

  • eu-west-2 (London)

  • eu-west-3 (Paris)

  • sa-east-1 (São Paulo)

  • us-east-1 (N. Virginia)

  • us-east-2 (Ohio)

  • us-west-1 (N. California)

  • us-west-2 (Oregon)

Panther also has limited support for AWS China:

  • cn-north-1 (Beijing)

  • cn-northwest-1 (Ningxia)

At this time, only the backend processing can be deployed to China (no web app). See our China docs for more details.

Upgrading Panther

To upgrade Panther, simply update the CloudFormation stack with the latest template version. Check out the specific release notes for detailed upgrade or migration instructions.

Removing Panther

To uninstall Panther, simply delete the main "panther" stack (substituting whatever stack name you chose during deployment). This will automatically remove everything except S3 buckets and the data they contain.

You can easily find and delete these manually, or you can run mage teardown (see development).