QUESTION

 Should I manage my detections via Packs, or via uploading detections with panther_analysis_tool?

ANSWER

You can leverage the Panther Console to fully customize your security program through out-of-the-box Detection Packs, as well as the option to create and customize detections to leverage the power of detections-as-code from one place. 

Panther also offers the option to use Panther Analysis Tool (PAT) as a part of your developer workflow, allowing Panther detections to be deployed via Continuous Integration and Continuous Deployment (CI/CD). Read more in Panther's CI/CD documentation.

See recommendations based on use cases in the table below:

Desired workflow

Best option

I want to receive updates from Panther's provided detections without any extra infrastructure/configuration.

Use Detection Packs

I want my own custom detections, and I don't need Panther's provided detections.

Push detections via panther_analysis_tool upload.

I want Panther's provided detections, and I also want to be able to edit/customize them.

Fork the panther-analysis repository, and push detections via panther_analysis_tool. Be aware that panther_analysis_tool requires each detection to contain a unique ID.

I want Panther's provided detections as-is without maintaining a fork of the repository. Additionally I want to upload my own custom detections.

Use Packs for Panther's provided detections. And use panther_analysis_toolto upload your own custom detections from your own private repository. If you choose this option you must ensure that the IDs of your detections do not conflict with any IDs from Panther's provided detections. If IDs are not unique, future updates could overwrite each other.

I want Panther's provided detections, and I want to be able to edit/customize them. Also I want my own custom detections in addition to Panther's provided detections.

Fork the panther-analysis repository, and push detections via panther_analysis_tool upload. You will need to periodically pull changes from the main panther-analysis repository into your fork in order to get the latest detections and updates from Panther. To minimize merge conflicts, you should put your custom detections in a separate directory.