For the complete documentation index, see llms.txt. This page is also available as Markdown.

System Configuration

Overview

Use Panther's system configuration settings to configure your Panther Console and overall Panther deployment to best meet your organization's needs.

To access your settings, click Settings at the bottom of the left-hand navigation bar. Settings open in a dedicated area with a left-hand navigation menu. To quickly find a setting, use the Search Settings field at the top of the menu.

The navigation menu groups settings into the following sections:

Only users with the Read Settings & SAML Preferences permission can view these configurations, and only those with Edit Settings & SAML Preferences can make changes.

General Settings

Main Info & Preferences

The Main Info & Preferences page contains your account information, organization details, and platform preferences. It includes the following:

  • Account Information: View your Email and set your First Name and Last Name.

  • Company Information:

    • Company Name

    • Email

  • Preferences:

    • Send Product Analytics: Send anonymized product analytics to help us improve Panther. To learn more, see Security and Privacy.

    • Enable Panther Audit Logs: Enable audit logs. If enabled, a new Panther-managed log source appears on the Log Sources page. This can only be enabled by users with the Edit Settings & SAML Preferences permission.

      • Panther audit logs provide a read-only history of activity in your Panther deployment. You can write detections on your audit logs, or query for them in your data lake, the same way you would with any other security events ingested by Panther. For more information, see Panther Audit Logs.

  • Display UTC Time Zone: Display time zones in UTC. When switched off, time and date are shown in local time.

  • Receive Alert Assignment Emails: Receive an email whenever an alert is assigned to you. This setting does not control your in-Console notification preferences.

Infrastructure

The Infrastructure section displays your Panther instance's AWS Account ID, AWS Region, Version, and Gateway Public IP. Click the copy icon next to a value to copy it.

The Infrastructure section shows values for AWS Account ID, Version, AWS Region, and Gateway Public IP.

Theme

On the Theme page, choose how the Panther Console looks for you: System, Light, or Dark.

AI Preferences

On the AI Preferences page, you can customize how Panther AI communicates with you by setting a personal AI prompt. This allows you to specify your preferred communication style, role, expertise level, or other preferences that will be applied to all AI interactions.

Changes to AI preferences may take up to 10 minutes to take effect. For more information about AI preferences, see Personal AI preferences.

Access & Authentication

Password Management

On the Password Management page, you can manage your password. If you signed in using SSO, the fields on this page are disabled.

Panther requires a strong password:

  • Password must contain at least 1 number

  • Password must contain at least 1 symbol

  • Password must contain at least 1 lowercase character

  • Password must contain at least 1 uppercase character

  • Password must contain at least 12 characters

Identity & Access

You can integrate with SAML Identity Providers (IdPs) to enable user login to the Panther Console via SSO. After setting up a SSO integration, you can optionally enforce its use for logging in. Panther integrates with the following providers:

Panther also supports integrating with any SAML IdP via the Generic SSO integration.

For more information, see SAML/SSO Integration.

User Management

Under Access & Authentication > User Management, users with the View Users permission can view a list of all users in your Panther account. A user with the Manage Users permission can delete and invite users.

Viewing the Users list

The User Management page displays a searchable, sortable list of Panther users—including each user's name, email, role, status, and the dates/times at which they were invited to Panther and last logged in. You can filter users by role and status, and sort by any column.

The Status column can have the following values:

  • Confirmed: user has been set up with password authentication and has changed their initial temporary password.

  • Force Change Password: user must change password upon next sign-in.

    • This usually appears for newly created users; it appears between user creation and first sign-in.

  • External Provider: user is managed via SSO through an external SAML provider.

Inviting a user to Panther

To invite a new user to Panther:

  1. At the bottom of the left-hand navigation bar in your Panther Console, click Settings, then navigate to Access & Authentication > User Management.

  2. Click Invite User.

  3. Fill in the form, providing the user's email address, first name, last name, and role.

  4. Click Invite.

    • If the invitation is sent successfully, you will see a pop-up:

    • The invited user must follow the flow outlined in Initial login, below.

Initial login

When you invite a new user to your Panther instance, they receive an email with temporary credentials that they can use to sign in to the platform.

After a user's initial login, they are required to update their password and set up MFA. Passwords must meet Panther's strong password requirements.

Roles & Permissions

Under Access & Authentication > Roles & Permissions, you can configure Role-Based Access Control (RBAC). This gives Panther deployments granular access control for its user accounts. All roles, including the three default Panther roles, are customizable by any user with UserModify permissions.

For more information, see Role-Based Access Control.

Data Lake

Data Lake Configuration

The Data Lake Configuration page includes information about your data lake.

It also includes the ability to make LIMIT clauses required for scheduled queries. See the scheduled query documentation for more information.

Scheduled Searches

The Scheduled Searches page lists the scheduled searches configured in your Panther instance.

Developer Tools

API Tokens

Under Developer Tools > API Tokens, view a list of API tokens that have been created for your account. You can also create a new API Token.

API Playground

Under Developer Tools > API Playground, access Panther's API Playground to try out API operations.

Git Sync

Panther supports syncing detection changes from the Panther Console to your GitHub repository via the Panther GitHub App. To set this up, configure your repository in the Git Sync tile on this page, then install the Panther GitHub App on that repository. See Setting Up the Panther GitHub App for full instructions.

Once configured, eligible Console edits produce pull requests in your GitHub repository instead of saving directly to Panther. Learn more in Creating a GitHub pull request from the Panther Console.

Panther Analysis Tool

Click the toggle next to We use the Panther Analysis Tool to manage our detections if you want to prevent users from enabling Panther Packs in the Panther Console. This helps prevent update conflicts between the Console and CI/CD workflows.

This workflow is also known as the CLI workflow.

AI & Automation

To access your Panther AI settings, click Settings at the bottom of the left-hand navigation bar, then select a page under AI & Automation.

Usage

The Usage page provides a dashboard to view your Panther AI usage for the current term and analyze usage trends. For more information, see AI Usage Dashboard.

Configuration

The following settings are available:

  • Enable Panther AI: Must be set to ON to use Panther AI. It can only be enabled by users with the Edit Settings & SAML Preferences permission. Additional steps may be required to use Panther AI—see Enabling Panther AI.

  • Organization Profile: Add an optional static prompt to all AI analyses. You can provide organization-specific context and direction in the text box to enhance AI-powered threat analysis.

  • Auto-resolve Based on Risk Score: When set to ON, Panther AI automatically resolves alerts that receive a risk classification score at or below a configured threshold. This allows low-risk alerts to be closed without manual intervention. Learn more in Auto-resolve alerts based on risk score.

    • Risk score Threshold: Set the maximum risk score at which alerts are auto-resolved. The threshold is a value on a scale from -1 (most benign) to +1 (most risky). Only alerts with a risk score at or below this threshold are auto-resolved.

    • Alert Severities (Optional): If one or more alert severities are selected, only alerts with those severities are eligible for auto-resolve. The INFO severity is excluded from this list.

    • Detection Tags (Optional): If one or more tags is entered, only alerts triggered by detections with at least one of those tags are eligible for auto-resolve.

    • Auto-resolve requires Auto-run AI Triage on Alerts to be enabled, since alerts must first be triaged by Panther AI to receive a risk score.

  • Auto-run AI Triage on Alerts: When set to ON, AI alert triage runs automatically on new alerts. Learn more in Auto-run AI alert triage.

  • Alert Severities: If one or more alert severities is selected, Panther AI will only auto-run alert triage for alerts with those severities. Note that the INFO severity is excluded from this list, as Panther does not allow auto-run AI triage on INFO-level alerts.

  • Detection Tags: If one or more tags is entered, Panther AI will only auto-run alert triage for alerts triggered by detections with at least one of those tags.

Important notes about auto-run AI triage

  • Auto-run AI triage is only available to Cloud Connected customers and SaaS customers with pass-through billing.

  • If both the Alert Severities and Detection Tags fields contain values, AI triage will only be auto-run if an alert meets both criteria, i.e., has one of the specified severities and its associated detection has one of the specified tags.

Web Access

The Web Access page controls whether Panther AI can fetch content from external web pages and process file attachments during conversations. When enabled, Panther AI can read web pages, images, and PDF documents to add context during analysis — for example, referencing public documentation, threat intelligence reports, or indicators of compromise. This setting also enables file attachments, allowing users to upload files directly to AI conversations.

The following settings are available:

  • Enable Web Access: Controls whether Panther AI can fetch web content and process file attachments. When set to OFF, both web content fetching and file attachment capabilities are disabled entirely.

  • Approved Domains: A list of domains that Panther AI can access without requiring user approval. Wildcard entries are supported — for example, *.example.com matches any subdomain of example.com (such as docs.example.com) but does not match example.com itself.

  • Forbidden Domains: A list of domains that Panther AI is never allowed to access, regardless of other settings. Wildcard entries are supported. Forbidden domains take priority over approved domains.

  • Require Approval for Non-Approved Domains: When set to ON, Panther AI will pause and ask for your approval before fetching content from a domain that is not on the approved domains list. When set to OFF, Panther AI can only access domains on the approved list.

When Require Approval for Non-Approved Domains is OFF and the approved domains list is empty, Panther AI cannot access any web content. When Require Approval for Non-Approved Domains is ON and the approved domains list is empty, every web request triggers a user approval prompt.

Security considerations:

  • Panther AI will never make requests to private or internal network addresses (e.g., 10.0.0.0/8, 169.254.169.254, localhost), regardless of domain settings.

  • If an approved domain redirects to a forbidden or non-approved domain, the request is blocked.

  • All web access requests are recorded in Panther audit logs, including the requested URL.

Remote MCP

The Remote MCP page controls the Remote MCP Client Allowlist, which restricts the OAuth redirect destinations that remote MCP clients (such as Claude Desktop or Cursor) may use when authorizing with Panther. You can configure Allowed Redirect Hosts and Allowed Custom Schemes. Loopback HTTP redirects (localhost, 127.0.0.1, ::1) are always permitted and do not need to be listed.

For more information, see Panther Remote MCP.

MCP Servers

On the MCP Servers page, you can connect and manage external MCP server integrations that Panther AI uses. For more information, see MCP Integrations.

Alert Configuration

Alert Context Tags

Under Alert Configuration > Alert Context Tags, you can view a list of alert context tags and add new tags.

For more information, see Custom alert context tags.

About

Open Source Licenses

The Open Source Licenses page lists the open source software licenses used by Panther.

Other Panther Console features

System Health Notifications

Panther's System Health Notifications alert you with a "System Error" when a part of the Panther platform is not functioning correctly. This includes the following types of notifications:

  • Log source health notifications

  • Log classification errors

  • Alert delivery failures

  • Cloud security scanning failures

For more information, see System Health Notifications.

Troubleshooting System Configuration

Visit the Panther Knowledge Base to view articles about system configuration that answer frequently asked questions and help you resolve common errors and issues.

Last updated

Was this helpful?