Should I manage my detections via Packs, or via uploading detections with panther_analysis_tool?
You can leverage the Panther Console to fully customize your security program through out-of-the-box Detection Packs, as well as the option to create and customize detections to leverage the power of detections-as-code from one place.
Panther also offers the option to use Panther Analysis Tool (PAT) as a part of your developer workflow, allowing Panther detections to be deployed via Continuous Integration and Continuous Deployment (CI/CD). Read more in Panther's CI/CD documentation.
See recommendations based on use cases in the table below:
Desired workflow | Best option |
I want to receive updates from Panther's provided detections without any extra infrastructure/configuration. | Use Detection Packs |
I want my own custom detections, and I don't need Panther's provided detections. | Push detections via |
I want Panther's provided detections, and I also want to be able to edit/customize them. | Fork the panther-analysis repository, and push detections via |
I want Panther's provided detections as-is without maintaining a fork of the repository. Additionally I want to upload my own custom detections. | Use Packs for Panther's provided detections. And use |
I want Panther's provided detections, and I want to be able to edit/customize them. Also I want my own custom detections in addition to Panther's provided detections. | Fork the panther-analysis repository, and push detections via |