You receive alerts from a detection that look similar to the following:
ModuleNotFoundError("No module named 'panther_detection_helpers'")
This alerts occur when a detection is being checked against incoming events, while using Panther Analysis Tool (PAT) to test rules locally, or while working in the Panther Console.
To troubleshoot this issue, follow the steps below.
If this issue occurs while working on detections in the Panther Console:
In the left-hand side of the Panther Console, click Build > Helpers, and search for an option called panther
.
Note: You may see other helpers with other words after 'panther', such as 'panther_base_helpers'.
Go back to Build > Helpers and click Create New in the upper right corner.
Use the exact name panther
and copy the contents of this file into the Helper Definition field.
If you're keeping a panther-analysis
repo, make sure this file exists under global_helpers.
The best way to get the most up-to-date helpers is to download them from Panther's Github repository here. Once you've downloaded them, move them to the repo or directory where you're using panther_analysis_tool
.
Also ensure that you are running the panther_analysis_tool test
command from a top-level file. Typically, when using panther_analysis_tool test
, you need to include the specific file path, like this: panther_analysis_tool test /path/to/your/testfolder
.
Identify what type of module the error message is referring to. Check the module name, and consider the following:
Is this one of the standard libraries that should be available to all Panther detections (like datetime
, re
, boto3
, or requests
)?
If so, first verify that the module is spelled correctly in your detection.
Try running your command in a virtual environment using pipenv run
at the beginning of your command. The command should look similar to the following:pipenv run panther_analysis_tool test --api-token <your-api-token> --api-host https://api.<your-panther-instance-name>.runpanther.net/public/graphql
Confirm that our detection code is compatible with the latest version of the module. Panther updates Python packages during each new version deployment. If your detection is referencing a module with deprecated attributes/functions, they may be removed in a new Panther version, causing this error.
If you've verified both of the previous points and the code is still throwing errors, contact our support and inform them of the steps taken so far.
Is this module a custom or Panther-provided global helper?
Confirm that the global helper is spelled correctly and is available:
In your code repo, open the global_helpers folder in the repo root and look for a Python file and a YAML file with the same name as the helper module (ex. my_helper.py
and my_helper.yml
).
If you were trying to import a specific object (using import OBJECT from HELPER
notation), check that the helper module code defines the object you tried to import.
If you recently updated the helper file and are relying on those changes, wait 10 minutes then try again. It can take several minutes between changes to a helper being uploaded and those changes being applied to detections.
If none of the above steps resolve your error, contact Panther Support and inform them of the things you've already checked.
Is this a third-party or custom module that you requested Panther staff make available to your detections?
How long ago was the request made? There can be a delay before custom/third party modules become available to your detections. Normally, a support person will let you know when they're successfully installed.
Is your detection compatible with the latest version of your 3rd party module? If not, have you instructed Panther support to prevent the module from being updated past a specific version? (By default, Panther uses the most recent available releases of all Python modules. If your code relies on legacy or deprecated features from a Python module, we advise you ask us to "pin" the module to a specific version that you confirm meets your needs.)
If you still haven't solved the issue, please contact our support. Be sure to mention that this is a custom or third/party module, and inform us of the steps you;ve already checked.
This error comes from the underlying Python kernel that runs your detections. For one reason or another, the Python kernel cannot find an installed library with a name matching your module. This can be due to the module being missing, nor having been installed to begin with, the import
call being mispelled, or an update to the library which removed or altered the object you're attempting to use.