Skip to main content
Panther Knowledge Base

What happens to my detection code if I make changes in both the Panther Console and PAT?

QUESTION

How does overwriting work between CI/CD or CLI tools like panther_analysis_tool (PAT) versus the Panther Console? For example, if I add a line foo = bar to a detection in the Panther Console, and then edit the same detection locally and add another line foo2 = bar2 and upload this edit with PAT, what will I see in the detection code?

ANSWER

In general, later edits overwrite previous edits, and Panther makes no attempt to "merge" edits from different workflows. So in the above scenario, the detection code would include foo2 = bar2 but not foo = bar. You could then add foo = bar in a separate edit that also retained foo2 = bar2, from either the Panther Console or PAT.

Note that it is not supported to edit detection content in both the Panther Console and via developer workflows simultaneously.