How to bulk download my enabled detections or specific detection types in Panther?

Last updated: May 27, 2025

QUESTION

How to bulk download my enabled detections or specific detection types in Panther?

ANSWER

You can manually download all detection entities by following these instructions. If there are numerous results and multiple pages, to avoid downloading each page manually, you can use the "Download all entities" option and follow the steps below:

  • Unzip the contents of the file.

  • Launch your terminal and use the cd command to navigate to the directory containing the extracted files.

  • Run the following command

enabled=$(grep -l 'Enabled: true' -- .yml); \ valid=$(grep -El 'AnalysisType: (rule|policy|scheduled_rule|correlation_rule)' -- .yml); \ keep=$(comm -12 <(echo "$enabled" | sort) <(echo "$valid" | sort) | sed 's/\.yml$//'); \ for f in .yml; do base="${f%.yml}"; if ! echo "$keep" | grep -qx "$base"; then echo "Deleting $f"; rm "$f"; fi; done; \ for f in .py; do base="${f%.py}"; if ! echo "$keep" | grep -qx "$base"; then echo "Deleting $f"; rm "$f"; fi; done

This bash command performs the following actions:

  • Filters for .yml files that include:

    • Enabled: true

  • Additionally, it identifies if the files contain one of the following values:

    • AnalysisType: rule

    • AnalysisType: policy

    • AnalysisType: scheduled_rule

    • AnalysisType: correlation_rule

  • Includes the corresponding .py files with matching filename bases.

  • Deletes all other files.

To customize the filtering criteria, you can update the values in the command accordingly.