Panther

Connect the Praetorian Guard Platform with Panther's cloud-native SIEM for consolidated threat detection.

Overview

The Panther integration connects the Praetorian Guard Platform (PGP) with Panther's cloud-native SIEM platform. This integration enables security teams to import security alerts, detection rule findings, and log analysis results from Panther into PGP, providing a consolidated view of threat detection data alongside other attack surface information.

Panther is a modern SIEM built for cloud-scale security operations, offering real-time detection, automated alert triage, and deep log analysis across cloud and on-premise environments. By integrating Panther with PGP, organizations can correlate SIEM-generated alerts with vulnerability data and asset inventories from other security tools, creating a more comprehensive security posture view.

The integration operates in a read-only capacity, retrieving alert and detection data from Panther without modifying any rules, alerts, or configurations within your Panther deployment.

What the Integration Does

The Panther integration performs the following operations during each sync cycle:

  1. Validates credentials — Authenticates with the Panther API using the provided API token and verifies connectivity to the Panther instance.

  2. Imports security alerts — Retrieves alerts generated by Panther's detection rules, including severity, status, alert context, and associated log events.

  3. Imports detection metadata — Retrieves information about the detection rules that triggered alerts, providing context about the types of threats being identified.

  4. Maps findings to assets — Associates Panther alerts with the relevant assets in PGP based on source identifiers such as IP addresses, hostnames, and cloud resource ARNs.

All operations are strictly read-only. PGP does not create, modify, resolve, or delete any alerts, rules, or configurations in Panther.

Prerequisites

Before configuring the Panther integration, ensure you have:

  • Panther account with an active subscription

  • API token with read permissions generated from the Panther console

  • Panther instance URL — The base URL of your Panther deployment

Generating a Panther API Token

  1. Log in to your Panther console.

  2. Navigate to Settings > API Tokens.

  3. Click Create API Token.

  4. Provide a descriptive name (e.g., "PGP Integration").

  5. Assign the token read-only permissions for alerts and detections.

  6. Click Create and copy the generated token — it will not be shown again.

Setup

To configure the Panther integration in PGP:

  1. Navigate to the Integrations page in PGP.

  2. Locate Panther and click Connect.

  3. Enter the required credentials in the configuration form.

  4. Click Save to activate the integration.

Configuration Fields

Field

Description

Example

Instance URL

The base URL of your Panther deployment

https://your-org.runpanther.net

API Token

The API token generated from the Panther console

pthr_api_token_abcdef123...

What Data Is Synced

Assets

PGP creates asset records for resources referenced in Panther alerts, including:

Panther Source

PGP Representation

Description

Source IP addresses

Asset

IP addresses identified as sources in alert events

Hostnames

Asset

Hostnames referenced in log data associated with alerts

Cloud resource ARNs

Asset

AWS, Azure, or GCP resources identified in alert context

Risks

PGP creates risk records for security alerts and detection findings from Panther:

Panther Finding Type

PGP Representation

Description

High-severity alerts

Risk

Critical and high-severity alerts from detection rules

Medium-severity alerts

Risk

Medium-severity alerts requiring investigation

Low-severity alerts

Risk

Low-severity informational alerts

Policy violations

Risk

Findings from Panther's policy engine detecting misconfigurations

Correlation alerts

Risk

Alerts generated from correlated log events across multiple sources

API Endpoints Used

The integration uses the Panther GraphQL and REST APIs. All requests are authenticated using the Authorization: Bearer <api_token> header.

Method

Endpoint

Purpose

POST

/public/graphql

Queries alerts, detections, and associated metadata via GraphQL

GET

/public/v1/alerts

Retrieves paginated alert listings

GET

/public/v1/alerts/{alert_id}

Retrieves detailed alert information including log events

Troubleshooting

Issue

Cause

Fix

401 Unauthorized

Invalid or expired API token

Generate a new API token in the Panther console and update the integration configuration in PGP

403 Forbidden

API token lacks required permissions

Verify the API token has read permissions for alerts and detections

Connection timeout

Incorrect instance URL or network restrictions

Verify the instance URL is correct and that outbound HTTPS traffic to your Panther deployment is allowed

No alerts imported

No alerts exist in Panther or time range filter excludes them

Verify that Panther has active detection rules generating alerts and check any time range filters

Partial data imported

API rate limiting during large data retrieval

The integration handles rate limiting automatically. Re-run the integration if data appears incomplete

GraphQL errors

API schema changes in Panther

Contact support if persistent GraphQL errors occur after a Panther platform update

Security and Data Handling

  • Read-only access — The integration only reads alert and detection data from Panther. It does not create, modify, resolve, or delete any alerts, detection rules, log sources, or configurations.

  • Credential storage — The API token is stored encrypted within PGP and is never exposed in logs or the user interface after initial configuration.

  • Data transfer — All communication between PGP and Panther occurs over HTTPS using TLS encryption.

  • Minimal data retrieval — The integration retrieves only the alert metadata and context needed to create meaningful asset and risk records in PGP, avoiding unnecessary transfer of raw log data.