panther

README

A Cloud-Native SIEM for the Modern Security Team

Quick Start | Documentation | Blog | Careers | Chat with us on Slack!

Panther is a platform for detecting threats with log data, improving cloud security posture, and conducting investigations.

Use Cases

Security teams can use Panther for:

Use Case	Description
Continuous Monitoring	Analyze logs in real-time and identify suspicious activity that could indicate a breach
Alert Triage	Pivot across all of your security data to understand the full context of an alert
Searching IOCs	Quickly search for matches against IOCs using standardized data fields
Securing Cloud Resources	Identify misconfigurations, achieve compliance, and model security best practices in code

Deployment

Follow our Quick Start Guide to deploy Panther in your AWS account in a matter of minutes!

Use our Tutorials to learn about security logging and data ingestion.

Panther uses Python for analysis, and each deployment is pre-installed with 150+ open source detections.

Log Analysis

Panther uses Python3 rules to analyze logs from popular security tools such as osquery and OSSEC.

The example below identifies malware on macOS with the osx-attacks query pack:

from fnmatch import fnmatch

APPROVED_PATHS = {'/System/*', '/usr/*', '/bin/*', '/sbin/*', '/var/*'}


def rule(event):
    if 'osx-attacks' not in event.get('name'):
      return False

    if event.get('action') != 'added':
        return False

    process_path = event.get('columns', {}).get('path')
    # Send an alert if the process is running outside of any approved paths
    return not any([fnmatch(process_path, p) for p in APPROVED_PATHS])


def title(event):
    # Show the query name that caused the alert
    return 'Malware [{}] detected via osquery'.format(event.get('name'))


def dedup(event):
    # Group similar infections in the fleet
    return event.get('name')

If this rule returns True, an alert will dispatch to your team based on the defined severity.

Cloud Security

Panther also supports analyzing cloud resources with policies. This can be used to detect vulnerable infrastructure along with modeling security best practices:

REGIONS_REQUIRED = {'us-east-1'}


def policy(resource):
    regions_enabled = [detector.split(':')[1] for detector in resource['Detectors']]
    for region in REGIONS_REQUIRED:
        if region not in regions_enabled:
            return False

    return True

Returning True means that a resource is compliant, and returning False will Fail the policy and trigger an alert.

Screenshots

Rule Search: Show running detections

Rule Editor: Write and test Python detections in the UI

Alert Viewer: Triage generated alerts

Resource Viewer: View attributes and policy statuses

About Us

Team

We are a San Francisco based startup comprising security practitioners who have spent years building large-scale detection and response capabilities for companies such as Amazon and Airbnb. Panther was founded by the core architect of StreamAlert, a cloud-native solution for automated log analysis open-sourced by Airbnb.

Want to help make Panther even better? We are hiring!

Why Panther?

It's no longer feasible to find the needle in the security-log-haystack manually. Many teams struggle to use traditional SIEMs due to their high costs, overhead, and inability to scale. Panther was built from the ground up to leverage the elasticity of cloud services and provide a highly scalable, performant, and flexible security solution at a much lower cost.

Contributing

We welcome all contributions! Please read the contributing guidelines before submitting pull requests.

License

Panther source code is licensed under AGPLv3.

FOSSA Status

Contributors ✨

Thanks goes to these wonderful people (emoji key):

Aggelos Arvanitakis 💻 📖 🎨 🐛 🚇	Austin Byers 💻 📖 🛡️ 🐛 🚇	Nick 💻 📖 🛡️ 🐛 🚇	Kostas Papageorgiou 💻 🛡️ 🐛 🚇	Quan Pham 💻	Alex Mylonas 💻 🐛	Russell Leighton 💻 🛡️ 🐛 🚇
Sugandha 📖	Kartikey Pandey 📖	Jeremy Stott 💻 🛡️ 🚇 🤔	Jack Naglieri 💻 📖 🛡️ 🖋 🤔 📆	Gavin 💻 🛡️ 🚇 🤔	Ryxias 📖	Sargon Sada 📖 💻
Sergey Aksenov 📖	Patrick Hagan 🚇	Alexandros Sigalas 💻 🛡️

This project follows the all-contributors specification. Contributions of any kind welcome!