PantherAIR - Automated Incident Response for Panther SIEM

Executive Summary

PantherAIR is an Automated Incident Response capability for Panther SIEM that uses AWS-native services (Lambda, Step Functions, SQS, API Gateway, and S3) to orchestrate security workflows immediately upon threat detection. By automating common or time-critical tasks—such as verifying suspicious activity over Slack or suspending a compromised Okta account—PantherAIR significantly reduces response times, relieves manual burden, and enhances security posture.

Why Panther Wants to Implement This

• SOAR & Automation on Platform: Enables Detection & Response Engineers to write and execute playbooks (SOAR-like) directly within Panther.

• Completes the Panther Product Suite: Expands Panther from a detection-driven SIEM to a fully integrated detection-and-response solution.

• Streamlined User Experience: Leverages the same Panther interface and AWS services, avoiding separate tools or complex integrations.

• Accelerated Time-to-Remediate: Automated workflows instantly contain threats, cutting attacker dwell time.

High-Level Technical Flow (Referencing Diagram)

1. Panther Alerts → SQS: Panther sends alerts (defined by detection-as-code) into an Amazon SQS queue.

2. Lambda Orchestrator (Entry Point): A Lambda function consumes messages from SQS, determining which Step Functions workflow to invoke based on the alert type.

3. Step Functions + API Gateway:

   • Step Functions runs a state machine that can pause for user input, branch based on conditions, or call external APIs.

   • Amazon API Gateway handles inbound callbacks (e.g., Slack approvals or other user responses) so Step Functions can resume after waiting.

4. UI & S3 Integration:

   • PantherAIR’s UI stores workflow metadata (like Step Function ARNs, conditional logic) in Amazon S3.

   • This metadata defines how the orchestrator runs each playbook, letting you modify workflows without redeploying code.

5. Secrets Management: A dedicated component (e.g., AWS Secrets Manager) securely manages third-party credentials (Slack, Okta, etc.).

6. Outcome:

   • Alert Resolution: If confirmed benign, the workflow can dismiss the alert.

   • IR Engineer Notification: If malicious, it can escalate, suspend accounts, or take other remediation steps—all recorded in Panther.

Key Benefits to the Organization

• Immediate Response: Automated containment or user verification within seconds, rather than hours.

• Operational Efficiency: Offloads repetitive tasks, allowing analysts to focus on complex investigations.

• Consistent, Auditable Workflows: Standardized, documented incident playbooks with full logging.

• Enhanced Security Posture: Minimizes the time between detection and remediation—crucial for modern threats.

By integrating Panther detection with serverless orchestration, PantherAIR bridges the gap between finding threats and fixing them, consolidating detection, investigation, and response into a single, high-performance platform.