How do I remove deprecated Panther-managed rules from my UI?

Last updated: September 3, 2024

QUESTION

I see deprecated Panther-managed rules in my Panther Console. I tried deleting them, but they keep reappearing. How do I remove them?

ANSWER

There are a couple ways to do this:
 

  • Filter out the deprecated rules using Filter or Ignore. With this approach, the files don't get deleted and you may have to run the command again when your repo syncs.

    1. Ensure that you have disabled those rules in your repo

    2. Run this command: pipenv run panther_analysis_tool upload --filter Enabled=true

      • That will limit the upload to rules where Enabled:Trueis set

    3. After that, you can delete the rules through the UI without them reappearing when you upload using PAT
       

  • Git remove the files. This approach is more permanent, as it actually deletes the files. However, there is still a chance for the files to reappear in your repo when it syncs if Panther performs a bulk update.

    1. Ensure that you have disabled those rules in your repo. Then run the following commands:

    2. panther_analysis_tool delete --analysis-id $RULE_ID

    3. git rm $PATH_TO_PY_FILE $PATH_TO_YAML_FILE

    4. git commit and git push those changes before the next pull from upstream

  • NOTE: Replace RULE_ID with the rule_id of which rule you want to remove. Replace PATH_TO_PY_FILE and PATH_TO_YAML_FILE with the actual paths to the PY and YAML files you want to remove.