Skip to main content
Panther Knowledge Base

Do CI/CD processes affect rule filters for Panther detections?

QUESTION

I use CI/CD processes to update the detections used in my Panther Console. Will using rule filters cause issues with how we create and edit rules within our developer workflows? For example, will my CI/CD processes erase the filters?

ANSWER

Yes, CI/CD processes will affect your rule filters. For example:

  • If you upload a rule from PAT and it includes an InlineFilters field, the rule's Inline Filters will be overwritten with the provided filters from PAT.
  • If you upload a rule from PAT without an InlineFilters field, the filter will be explicitly deleted from the rule. This ensures that the state in Panther matches the state of the detections being uploaded via PAT.
     

If you are uploading with PAT, we suggest setting the InlineFilters on your detection files. Please refer to Panther's documentation on modifying detections with inline filters for more information.