I use CI/CD processes to update the detections used in my Panther Console. Will using rule filters cause issues with how we create and edit rules within our developer workflows? For example, will my CI/CD processes erase the filters?
Yes, CI/CD processes will affect your rule filters. For example:
- If you upload a rule from PAT and it includes an
InlineFiltersfield, the rule's Inline Filters will be overwritten with the provided filters from PAT.
- If you upload a rule from PAT without an
InlineFiltersfield, the filter will be explicitly deleted from the rule. This ensures that the state in Panther matches the state of the detections being uploaded via PAT.
If you are uploading with PAT, we suggest setting the
InlineFilters on your detection files. Please refer to Panther's documentation on modifying detections with inline filters for more information.