How does overwriting work between CI/CD or CLI tools like panther_analysis_tool
(PAT) versus the Panther Console? For example, if I add a line foo = bar
to a detection in the Panther Console, and then edit the same detection locally and add another line foo2 = bar2
and upload this edit with PAT, what will I see in the detection code?
If you're working with Simple Detections
If your team uses the developer workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for Inline Filters created in the Console, which will be preserved).
If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.
If you're working with Python detections
In general, later edits overwrite previous edits, and Panther makes no attempt to "merge" edits from different workflows. So in the above scenario, the detection code would include foo2 = bar2
but not foo = bar
. You could then add foo = bar
in a separate edit that also retained foo2 = bar2
, from either the Panther Console or PAT.
Note that it is not supported to edit detection content in both the Panther Console and via developer workflows simultaneously.