QUESTION

When using a detection repo to manage Panther, can I organize my global helpers into subfolders within the global_helpers toplevel folder, or do they all need to be in the same directory?

ANSWER

Yes, you can move helpers into their own subfolders! However, keep the following things in mind:

  1. The helper files must still be within the global_helpers folder.

  2. The config (YAML) and code (Python) files for an individual global helper must be kept together.

  3. In the config file, when specifying the Filename of the python file, use only the name of the file - don't include the names of the parent folders!

As long as these conditions are met, you'll be able to upload your repo to Panther without issue!

No changes are necessary to your rules if you move a helper into a subfolder - the import statement only needs to reference the name of the helper.