Skip to content

Detect threats with log data and improve cloud security posture

License

Notifications You must be signed in to change notification settings

Learn-by-doing/panther

Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Panther Logo

A Cloud-Native SIEM for the Modern Security Team

Quick Start | Documentation | Blog | Careers | Chat with us on Slack!

All Contributors Slack CircleCI Built with Mage

Panther is a platform for detecting threats with log data, improving cloud security posture, and conducting investigations.

Use Cases

Security teams can use Panther for:

Use Case Description
Continuous Monitoring Analyze logs in real-time and identify suspicious activity that could indicate a breach
Alert Triage Pivot across all of your security data to understand the full context of an alert
Searching IOCs Quickly search for matches against IOCs using standardized data fields
Securing Cloud Resources Identify misconfigurations, achieve compliance, and model security best practices in code

Deployment

Follow our Quick Start Guide to deploy Panther in your AWS account in a matter of minutes!

Use our Tutorials to learn about security logging and data ingestion.

Panther uses Python for analysis, and each deployment is pre-installed with 150+ open source detections.

Log Analysis

Panther uses Python3 rules to analyze logs from popular security tools such as osquery and OSSEC.

The example below identifies malware on macOS with the osx-attacks query pack:

from fnmatch import fnmatch

APPROVED_PATHS = {'/System/*', '/usr/*', '/bin/*', '/sbin/*', '/var/*'}


def rule(event):
    if 'osx-attacks' not in event.get('name'):
      return False

    if event.get('action') != 'added':
        return False

    process_path = event.get('columns', {}).get('path')
    # Send an alert if the process is running outside of any approved paths
    return not any([fnmatch(process_path, p) for p in APPROVED_PATHS])


def title(event):
    # Show the query name that caused the alert
    return 'Malware [{}] detected via osquery'.format(event.get('name'))


def dedup(event):
    # Group similar infections in the fleet
    return event.get('name')

If this rule returns True, an alert will dispatch to your team based on the defined severity.

Cloud Security

Panther also supports analyzing cloud resources with policies. This can be used to detect vulnerable infrastructure along with modeling security best practices:

REGIONS_REQUIRED = {'us-east-1'}


def policy(resource):
    regions_enabled = [detector.split(':')[1] for detector in resource['Detectors']]
    for region in REGIONS_REQUIRED:
        if region not in regions_enabled:
            return False

    return True

Returning True means that a resource is compliant, and returning False will Fail the policy and trigger an alert.

Screenshots

Rule Search

Rule Search: Show running detections

Rule Editor

Rule Editor: Write and test Python detections in the UI

Alert Viewer

Alert Viewer: Triage generated alerts

Resource Viewer

Resource Viewer: View attributes and policy statuses

About Us

Team

We are a San Francisco based startup comprising security practitioners who have spent years building large-scale detection and response capabilities for companies such as Amazon and Airbnb. Panther was founded by the core architect of StreamAlert, a cloud-native solution for automated log analysis open-sourced by Airbnb.

Want to help make Panther even better? We are hiring!

Why Panther?

It's no longer feasible to find the needle in the security-log-haystack manually. Many teams struggle to use traditional SIEMs due to their high costs, overhead, and inability to scale. Panther was built from the ground up to leverage the elasticity of cloud services and provide a highly scalable, performant, and flexible security solution at a much lower cost.

Contributing

We welcome all contributions! Please read the contributing guidelines before submitting pull requests.

License

Panther source code is licensed under AGPLv3.

FOSSA Status

FOSSA Status

Contributors ✨

Thanks goes to these wonderful people (emoji key):


Aggelos Arvanitakis

πŸ’» πŸ“– 🎨 πŸ› πŸš‡

Austin Byers

πŸ’» πŸ“– πŸ›‘οΈ πŸ› πŸš‡

Nick

πŸ’» πŸ“– πŸ›‘οΈ πŸ› πŸš‡

Kostas Papageorgiou

πŸ’» πŸ›‘οΈ πŸ› πŸš‡

Quan Pham

πŸ’»

Alex Mylonas

πŸ’» πŸ›

Russell Leighton

πŸ’» πŸ›‘οΈ πŸ› πŸš‡

Sugandha

πŸ“–

Kartikey Pandey

πŸ“–

Jeremy Stott

πŸ’» πŸ›‘οΈ πŸš‡ πŸ€”

Jack Naglieri

πŸ’» πŸ“– πŸ›‘οΈ πŸ–‹ πŸ€” πŸ“†

Gavin

πŸ’» πŸ›‘οΈ πŸš‡ πŸ€”

Ryxias

πŸ“–

Sargon Sada

πŸ“– πŸ’»

Sergey Aksenov

πŸ“–

Patrick Hagan

πŸš‡

Alexandros Sigalas

πŸ’» πŸ›‘οΈ

This project follows the all-contributors specification. Contributions of any kind welcome!

About

Detect threats with log data and improve cloud security posture

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 70.9%
  • TypeScript 23.0%
  • Python 4.3%
  • HCL 0.9%
  • JavaScript 0.6%
  • Dockerfile 0.2%
  • Other 0.1%