What you've said, in effect, is, "Gee, someone came to the site with some interest (say, from a Hacker News link) but no idea what this secret sauce is. Screw 'em! Gem them out of here!"
Alternatively, if you give them an idea of what they're looking at (and no, I don't think you have to drill down to every tiny detail on the front page), maybe they'll realize, "Hey, that's something I should at least look into."
I suspect that a layperson, they might be getting the impression that this will alert them to security incidents. It will not really do that. It is not an intrusion detection system (which also are not very useful, but I digress). It will be 99.9999999% noise, and an experienced team will have a sense of what they should bother paying attention to, and still spend most of their time chasing dead ends.
It would be like if someone announced the release of a compiler, without explaining what a compiler is. Someone might reasonably say, if you don’t know what a compiler is, this isn’t solving a problem that you’re worried about.
Even if you're too small to have an incident response team, if you work on the cloud, you need to prevent these common security issues. I can't imagine using a tool built for the purpose is more of a money pit than writing it yourself as many cloud engineers end up doing.
We are also available on Slack to help out!
We also utilize open source or cloud-native transport mechanisms like fluentd/s3/etc, verses rolling our own.
Also, since this seems fairly new, do you have SOAR platform integration already? That's a major selling point these days, I need it to play well with automation.
Lastly,many have tried and failed to compete with Splunk's query language.Does this have a query langauge that can compete? I don't need it to detect threats out of the box, if I need a SIEM then I also need to rapidly change correlation logic and for that I need a good query language which is very rare even with top dollar traditional SIEMs.
My read of the license file, is there seems to be some purposefully introduced license confusion and mixing of proprietary/commercial non oss files into the same repo, which makes it really unclear if this is OSS per OSI definition, if running git log will taint a contributor.
The compiled binaries assets are available under Apache 2.0, which appears to be a marketing tactic to capitalize on the name, while being completely unrelated to the actual source license, aka this is closer to free to use binary. IANAL but afaics most orgs should talk to a lawyer if they want to use this as OSS.
moreover this line in the readme also appears to be purposefully sowing confusion, "Panther is dual-licensed under the AGPLv3 and Apache-2.0 licenses." except they actually appear to redefine the common usage of dual license, to mean that parts of the code base are selectively licensed one or the other.
I'd originally just looked at the LICENCE.txt file in the top level, thinking this was presented as a standalone application suite from a single author / company - so I approached it with certain (perhaps naive) expectations.
Logs are probably the worst source one can have. And its faulty by design. Why not think of something new? A better source for your data would be something to start with. Maybe an intelligent infrastructure for data collection could make it more useful with more relevant data. Only ship relevant data from relevant sources if additional info is required. Maybe that would be a great solution. It would at least be something new.
Alerts can deliver to SNS/SQS, which can invoke a Lambda function running your custom script:
I'd say the biggest differences are that Panther:
- Has a UI-driven workflow (vs CLI)
- Has an improved design to be more scalable and cost-effective
- Is written almost entirely in Golang
- Made a larger investment in the Athena side, allowing data pivoting and correlation across types
- Has first-class support for monitoring infrastructure as "resources", opening up more compliance use cases
We applied a lot of lessons learned from running StreamAlert and from my team's experiences at Amazon.