Do users often have a dev and prod environment for testing Panther Detections?
QUESTION
Do users often have separate developer / sandbox and production environments for testing Panther Detections?
ANSWER
Generally, we do not see a full dev or prod deployment just for testing detections. To ensure detections are working as expected, many teams rely on the unit testing built into the Panther Console or the panther_analysis_tool
with a CI pipeline that enforces passing unit tests with a minimum number of unit tests per detection (with the --minimum-tests
flag).
A common way to test new detections is to configure them to send alerts to a specific “dev” destination (e.g., a Slack channel that is muted or a dummy email that no one watches).