Updating custom rules after helpers were moved in panther-analysis v3.68.0

Last updated: December 3, 2025

Background

In panther-analysis v3.68.0, Panther reorganized global helpers, resulting in certain helpers being moved into different files. This means that import statements in rules that use the moved helpers must be updated to reference the new locations.

Panther-managed detections have been updated to use the new helper locations, but your own custom detections may still need to be updated. Note that if you already updated to v3.68, 3.69, or 3.74+ and have not had issues, you likely are not using any of the moved helpers and you do not need to take further action.

How can I update my custom detections to accommodate the changes?

Step 1: Prepare your environment

How to prepare your environment will vary depending on whether your team uses Detection Packs to manage Panther content or CI/CD.

Detection Pack users

  • Update all of your Packs to v3.70.

CI/CD users

If you retrieve new Panther content via CI/CD, create a new branch and pull the upstream changes. You can pull either v3.68-3.69 or v3.701+, with the following caveats:

  • v3.68 and v3.69 have backwards-incompatible changes to the helpers. If you pull these versions, you must modify all affected custom detections before you can successfully deploy to Panther.

  • v3.70-3.73 have the old helper locations locations backported. This means you can perform rule deployments while updating the affected rules, since the helper code can be imported using either the old or new location.

  • v3.74+ removes the backports, meaning (like with v3.69 and v3.69) you must update references to moved helpers in custom detections before deploying to Panther.

Step 2: Determine if any of your custom rules use moved helpers

  1. Download and open the CSV below, which lists all helpers that have been moved:

    • The left column contains the old location/name, and the right column contains the new location/name.

  1. Identify any custom rules (created both in the CI/CD workflow and the Panther Console) which import the helper functions from the old locations.

    • For example, the CSV identifies panther_base_helpers.aws_rule_context as an affected helper function, so you would need to find any rules which import aws_rule_context from panther_base_helpers.

Step 3: Update import statements in affected custom rules

  • Update the helper import statements in all affected custom rules.

    • For example, the aws_rule_context function was moved from panther_base_helpers to panther_aws_helpers. To accommodate this, we should modify the import statement from:

      from panther_base_helpers import aws_rule_context

      to:

      from panther_aws_helpers import aws_rule_context

If you have any questions or run into issues making these import statement updates, please reach out to the Panther support team!