By default, detections are pre-installed from the open source panther-analysis repository to establish a strong baseline.
Detections are grouped by log or resource type and will automatically take effect once data is onboarded.
AWS S3 Server
AWS VPC Flow
AWS CloudFormation Stacks
AWS Load Balancer
There are many standards on what different severity levels should mean, and at Panther, we base our severities on this table:
No risk, simply informational
Name formatting, missing tags. General best practices for ops.
Little to no risk if exploited
Non sensitive information leaking such as system time and OS versions.
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Causes extreme damage if exploited
Public data or systems, leaked access keys.
Use this as a reference point to create your own standards.
Follow the links below to learn more about the anatomy of built-in detections: