By default, rules and policies are pre-installed from Panther's open source packs to help teams establish baseline detections.
The packs are grouped into:
AWS Best Practices
AWS Services (VPC, S3, CloudTrail, and more)
There are many standards on what different severity levels should mean.
At Panther we base our severities on this table:
No risk, simply informational
Name formatting, missing tags. General best practices for ops.
Little to no risk if exploited
Non sensitive information leaking such as system time and OS versions.
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Causes extreme damage if exploited
Public data or systems, leaked access keys.
Feel free to use this as a reference point, or create your own standards.