Do users often have separate developer / sandbox and production environments for testing Panther Detections?
Generally, full dev or prod deployments are not necessary just for testing detections. To ensure that detections are functioning correctly, many teams rely on the unit testing feature built into the Panther Console or use the panther_analysis_tool
with a CI pipeline thatĀ enforces passing unit tests, with a minimum number of tests per detection using the --minimum-tests
flag (check here for more information).
A common approach for testing new detections, is to configure them to send alerts to a designated "dev" destination. For example, this could be a muted Slack channel or a dummy email address that is not actively monitored.