QUESTION

The detection logic for one of my Detection Packs hardcodes the severity value for the detections. This is blocking us from setting severity, and I want to change the severity because the alerts are clogging our on-call pipeline. Can I edit a rule in a Panther managed Detection Pack?

ANSWER

If you want to edit a rule from a Panther Managed Pack, you could either follow the process in the documentation to clone and edit the rule or use derived detections.

If you are cloning and editing the rule, and the rule you are attempting to edit is part of a Detection Pack, you cannot edit the rule while the rule is enabled. Panther-provided packs’ rules are intentionally not editable as they regularly receive updates, and edits could get overwritten or cause merge conflicts.

You’ll want to keep an eye out for updates to the disabled pack rule and judge whether you’d like the change in your new rule. For example, new log types may get added to universal rules where applicable, or logic can be updated.