How does overwriting work between CI/CD or CLI tools like
panther_analysis_tool (PAT) versus the Panther Console? For example, if I add a line
foo = bar to a detection in the Panther Console, and then edit the same detection locally and add another line
foo2 = bar2 and upload this edit with PAT, what will I see in the detection code?
If you're working with Simple Detections
If your team uses the developer workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for Inline Filters created in the Console, which will be preserved).
If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.
If you're working with Python detections
In general, later edits overwrite previous edits, and Panther makes no attempt to "merge" edits from different workflows. So in the above scenario, the detection code would include
foo2 = bar2 but not
foo = bar. You could then add
foo = bar in a separate edit that also retained
foo2 = bar2, from either the Panther Console or PAT.
Note that it is not supported to edit detection content in both the Panther Console and via developer workflows simultaneously.