What happens to my detection code if I make changes in both the Panther Console and PAT?

Last updated
Save as PDF

QUESTION

How does overwriting work between CI/CD or CLI tools like panther_analysis_tool (PAT) versus the Panther Console? For example, if I add a line foo = bar to a detection in the Panther Console, and then edit the same detection locally and add another line foo2 = bar2 and upload this edit with PAT, what will I see in the detection code?

ANSWER

If you're working with Simple Detections

If your team uses the developer workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for Inline Filters created in the Console, which will be preserved).

If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.

If you're working with Python detections

In general, later edits overwrite previous edits, and Panther makes no attempt to "merge" edits from different workflows. So in the above scenario, the detection code would include foo2 = bar2 but not foo = bar. You could then add foo = bar in a separate edit that also retained foo2 = bar2, from either the Panther Console or PAT.

Note that it is not supported to edit detection content in both the Panther Console and via developer workflows simultaneously.