What options do I have to manage my detections in Panther, and which options are best for my workflow?
Panther currently supports three main workflows for managing detections:
- Manually editing detections in the Panther Console
- Receiving updates via enabled Packs
- Pushing updates using
Manually editing detections in the Panther Console
Manually editing detections in the Panther Console is the simplest way to get started with creating and updating detections because it doesn't require any additional setup or configuration. However, manually managing detections can become unwieldy if you have a large number of detections or a large number of users in Panther.
Receiving updates via enabled Packs
Detection Packs are a way to update many detections at once with a click of a button. A Pack is a bundle of many detections. You can enable a Pack in the Panther Console, and then you can press a button to update and download all of the detections in that Pack. The change will reflect immediately in your Panther Console.
Panther provides several core Packs that can be optionally enabled in your Panther Console. Whenever Panther updates these Packs, you will see an option in your Panther Console to update your enabled Packs to the latest version. Packs do not require any external setup.
Once you enable a Pack, every detection that is included in that Pack will show up as "MANAGED" in your Panther Console. A managed detection means that it is part of an enabled Pack, and it cannot be modified directly. Using Packs is only recommended if you do not wish to edit the detections in the Pack directly.
If you wish to edit the detections that Panther provides, we instead recommend that you fork the
panther-analysis repository that contains Panther's provided detections, and then upload them via
panther_analysis_tool upload, as described in the next section.
Pushing updates via Panther Analysis Tool
You can manage detections via Panther Analysis Tool, using the command
panther_analysis_tool upload.This command will take all detections in a directory, and upload them to your Panther Console. This method works well in a CI/CD workflow, as you can configure your CI/CD job to run this command every time you have changes in your version control system. This keeps your Panther Console up to date.
Using Detections Packs and PAT at the same time is not recommended. These workflows could potentially overwrite each other's detections if there are detections that have the same ID. For more information on choosing Packs or PAT, see this article: How to choose between Packs and panther_analysis_tool for managing detections.