panther

module
v1.3.0-testing Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 20, 2020 License: AGPL-3.0

README ΒΆ

Panther Logo

A Cloud-Native SIEM for the Modern Security Team

Quick Start | Documentation | Blog | Careers | Chat with us on Slack!

All Contributors Slack CircleCI Built with Mage

Panther is a platform for detecting threats with log data, improving cloud security posture, and conducting investigations.

Use Cases

Security teams can use Panther for:

Use Case Description
Continuous Monitoring Analyze logs in real-time and identify suspicious activity that could indicate a breach
Alert Triage Pivot across all of your security data to understand the full context of an alert
Searching IOCs Quickly search for matches against IOCs using standardized data fields
Securing Cloud Resources Identify misconfigurations, achieve compliance, and model security best practices in code

Deployment

Follow our Quick Start Guide to deploy Panther in your AWS account in a matter of minutes!

Use our Tutorials to learn about security logging and data ingestion.

Panther uses Python for analysis, and each deployment is pre-installed with 150+ open source detections.

Log Analysis

Panther uses Python3 rules to analyze logs from popular security tools such as osquery and OSSEC.

The example below identifies malware on macOS with the osx-attacks query pack:

from fnmatch import fnmatch

APPROVED_PATHS = {'/System/*', '/usr/*', '/bin/*', '/sbin/*', '/var/*'}


def rule(event):
    if 'osx-attacks' not in event.get('name'):
      return False

    if event.get('action') != 'added':
        return False

    process_path = event.get('columns', {}).get('path')
    # Send an alert if the process is running outside of any approved paths
    return not any([fnmatch(process_path, p) for p in APPROVED_PATHS])


def title(event):
    # Show the query name that caused the alert
    return 'Malware [{}] detected via osquery'.format(event.get('name'))


def dedup(event):
    # Group similar infections in the fleet
    return event.get('name')

If this rule returns True, an alert will dispatch to your team based on the defined severity.

Cloud Security

Panther also supports analyzing cloud resources with policies. This can be used to detect vulnerable infrastructure along with modeling security best practices:

REGIONS_REQUIRED = {'us-east-1'}


def policy(resource):
    regions_enabled = [detector.split(':')[1] for detector in resource['Detectors']]
    for region in REGIONS_REQUIRED:
        if region not in regions_enabled:
            return False

    return True

Returning True means that a resource is compliant, and returning False will Fail the policy and trigger an alert.

Screenshots

Rule Search

Rule Search: Show running detections

Rule Editor

Rule Editor: Write and test Python detections in the UI

Alert Viewer

Alert Viewer: Triage generated alerts

Resource Viewer

Resource Viewer: View attributes and policy statuses

About Us

Team

We are a San Francisco based startup comprising security practitioners who have spent years building large-scale detection and response capabilities for companies such as Amazon and Airbnb. Panther was founded by the core architect of StreamAlert, a cloud-native solution for automated log analysis open-sourced by Airbnb.

Want to help make Panther even better? We are hiring!

Why Panther?

It's no longer feasible to find the needle in the security-log-haystack manually. Many teams struggle to use traditional SIEMs due to their high costs, overhead, and inability to scale. Panther was built from the ground up to leverage the elasticity of cloud services and provide a highly scalable, performant, and flexible security solution at a much lower cost.

Contributing

We welcome all contributions! Please read the contributing guidelines before submitting pull requests.

License

Panther source code is licensed under AGPLv3.

FOSSA Status

FOSSA Status

Contributors ✨

Thanks goes to these wonderful people (emoji key):


Aggelos Arvanitakis

πŸ’» πŸ“– 🎨 πŸ› πŸš‡

Austin Byers

πŸ’» πŸ“– πŸ›‘οΈ πŸ› πŸš‡

Nick

πŸ’» πŸ“– πŸ›‘οΈ πŸ› πŸš‡

Kostas Papageorgiou

πŸ’» πŸ›‘οΈ πŸ› πŸš‡

Quan Pham

πŸ’»

Alex Mylonas

πŸ’» πŸ›

Russell Leighton

πŸ’» πŸ›‘οΈ πŸ› πŸš‡

Sugandha

πŸ“–

Kartikey Pandey

πŸ“–

Jeremy Stott

πŸ’» πŸ›‘οΈ πŸš‡ πŸ€”

Jack Naglieri

πŸ’» πŸ“– πŸ›‘οΈ πŸ–‹ πŸ€” πŸ“†

Gavin

πŸ’» πŸ›‘οΈ πŸš‡ πŸ€”

Ryxias

πŸ“–

Sargon Sada

πŸ“– πŸ’»

Sergey Aksenov

πŸ“–

Patrick Hagan

πŸš‡

Alexandros Sigalas

πŸ’» πŸ›‘οΈ

This project follows the all-contributors specification. Contributions of any kind welcome!

Directories ΒΆ

Path Synopsis
api
cmd
internal
core/organization_api/api
Package api defines CRUD actions for the Panther organization database.
Package api defines CRUD actions for the Panther organization database.
core/organization_api/table
Package table manages all of the Dynamo calls (query, scan, get, write, etc).
Package table manages all of the Dynamo calls (query, scan, get, write, etc).
core/outputs_api/api
Package api defines CRUD actions for Panther alert outputs.
Package api defines CRUD actions for Panther alert outputs.
core/outputs_api/table
Package table manages all of the Dynamo calls (query, scan, get, write, etc).
Package table manages all of the Dynamo calls (query, scan, get, write, etc).
core/users_api/api
Package api defines CRUD actions for the Cognito Api.
Package api defines CRUD actions for the Cognito Api.
log_analysis/alerts_api/api
Package api defines CRUD actions for the Panther alerts database.
Package api defines CRUD actions for the Panther alerts database.
log_analysis/alerts_api/table
Package table manages all of the Dynamo calls (query, scan, get, write, etc).
Package table manages all of the Dynamo calls (query, scan, get, write, etc).
log_analysis/log_processor/parsers/apachelogs
Package apachelogs contains parsers for logs of the Apache HTTP Server
Package apachelogs contains parsers for logs of the Apache HTTP Server
pkg
encryption
Package encryption handles all KMS operations.
Package encryption handles all KMS operations.
genericapi
Package genericapi provides a generic Router for API style Lambda functions.
Package genericapi provides a generic Router for API style Lambda functions.
lambdalogger
Package lambdalogger updates the global zap logger for use in a Lambda function.
Package lambdalogger updates the global zap logger for use in a Lambda function.
oplog
Package oplog implements standard (but extensible) logging for operations (events with status, start/end times).
Package oplog implements standard (but extensible) logging for operations (events with status, start/end times).
tools
cfngen
Package cfngen generates CloudFormation from Go objects.
Package cfngen generates CloudFormation from Go objects.
cfngen/gluecf
Package gluecf generates CloudFormation from Go objects to create AWS GlueTableMetadata objects.
Package gluecf generates CloudFormation from Go objects to create AWS GlueTableMetadata objects.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL