The detection logic for one of my Detection Packs hardcodes the severity value for the detections. This is blocking us from setting
severity, and I want to change the severity because the alerts are clogging our on-call pipeline. Can I edit a rule in a Panther managed Detection Pack?
- If you want to edit a rule from a Panther Managed Pack, follow the process in the documentation to clone and edit the rule.
If the rule you are attempting to edit is part of a Detection Pack, you cannot edit the rule while the rule is enabled. Panther-provided packs’ rules are intentionally not editable as they regularly receive updates, and edits could get overwritten or cause merge conflicts.
You’ll want to keep an eye out for updates to the disabled pack rule and judge whether you’d like the change in your new rule. For example, new log types may get added to universal rules where applicable, or logic can be updated.