QUESTION

How are global helpers uploaded to Panther? Do they come along for the ride when you use panther_analysis_tool to upload rules, or do they need to be uploaded with a separate, specific upload statement?

The panther_analysis_tool (PAT) documentation implies that data models, lookup tables, global helpers, and queries get included with PAT uploads, but I'd like more information about how that works.

ANSWER

In general, there are two ways to achieve uploading your global helpers.

As long as there are global helpers within the upload directory, they will be uploaded and get added to the existing ones and there is no need to include all your current global helpers in that directory. However, if you perform a bulk upload (i.e. also include detections) you should include all the global helpers that your uploaded detections are using.

For example, if you specify a directory path for the content that needs to be uploaded and this directory contains a policy, a rule that uses global-helper-1, and a separate global helper (global-helper-2) all of them will be uploaded/added to your instance and your upload directory should contain: The YAML files and the Python code from your rule, policy, and both helpers.

You will also get a result after the upload in your terminal showing the amount of each type uploaded or modified.

Additionally, If you are not intending to upload everything from your directory, you can explicitly tell panther_analysis_tool to proceed with filtering the content by adding a --filter KEY=VALUE argument to your panther_analysis_tool upload command.For example, to only upload rules and global helpers you can add: --filter AnalysisType=rule,global