Built-in Packs
By default, detections are pre-installed from the open source panther-analysis repository to establish a strong baseline.
Packs are grouped by log or resource type and will automatically take effect once data is onboarded.
Rule Packs:
AWS CloudTrail
AWS GuardDuty
AWS S3 Server
AWS VPC Flow
Cisco Umbrella
GCP Audit
Gravitational Teleport
G Suite
Okta
OneLogin
Osquery
Policy Packs:
AWS Accounts
AWS ACM
AWS CloudFormation Stacks
AWS CloudTrail
AWS CloudWatch
AWS Config
AWS DynamoDB
AWS EC2
AWS ELB
AWS GuardDuty
AWS IAM
AWS KMS
AWS Load Balancer
AWS RDS
AWS Redshift
AWS S3
AWS VPC
Some detections require specific settings to best work in your environment and are disabled by default.
Search for the "Configuration Required" tag to set the proper context before enabling the detection.
There are many standards on what different severity levels should mean, and at Panther, we base our severities on this table:
Severity | Exploitability | Description | Examples |
|
| No risk, simply informational | Name formatting, missing tags. General best practices for ops. |
|
| Little to no risk if exploited | Non sensitive information leaking such as system time and OS versions. |
|
| Moderate risk if exploited | Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools. |
|
| Very damaging if exploited | Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure. |
|
| Causes extreme damage if exploited | Public data or systems, leaked access keys. |
Use this as a reference point to create your own standards.
Follow the links below to learn more about the anatomy of built-in detections:
