QUESTION

How do I check the contents of a Panther-managed detection pack? Sometimes a pack appears to have a helper function, but no rules or scheduled rules. Can I see if there are rules in the latest version?

ANSWER

All Panther-provided detection packs are available for viewing here on GitHub. Each YAML file contains the pack manifest, which determines the name, description, and contents of the pack. You can view which items are included in the pack by inspecting the IDs field.

If you have questions about a specific pack, feel free to reach out to Panther support.

Viewing Older versions of Packs

The panther-analysis repo, which contains all of Panther's OOTB content, allows you to browse previous versions using tags. You can select the tag corresponding to your version by clicking "develop", switching to the "tags" tab, and clicking the version you want. This will render all of Panther's OOTB content as it was during that release.

Converting between numeric version ID and semantic version

Some sources, like Panther's audit logs, list pack versions as integer numbers instead of the more more human-readable semantic version (like 3.12.0). You can find the semantic version using the numeric version by navigating to Github's API Release listing and searching for the numeric ID. You should find a JSON object, where id is the numeric version ID, and tag_name is the semantic version. Once you have tag_name, you can view the contents using the process described above.