QUESTION

We currently use both the CLI with our cloned repo and Packs in the Panther console for creating and managing our detections. Since it’s not recommended to use both workflows simultaneously, how should I transition to a CI/CD-only workflow?

ANSWER

To do this, we suggest the following steps:

  1. Move your modified Panther rules to a new folder, for example, yourcompanyname_rules/

    • However, if you’d like to receive updates to your modified rules, the sync process will recreate the default version of those rules, which will be updated. From there, you can make adjustments as needed.

  2. Use Panther's provided GitHub action script and ensure that it is synced with the release tag.

    • By doing this, you won't have to worry about GitHub overwriting everything in your cloned repo. Since your modified rules have been moved to a new folder, they won't be affected. Instead, Panther will update the untouched rule that the modified rule used as a template.

  3. Go to your Panther Console and temporarily toggle the We use the Panther Analysis Tool to manage our detections option to OFF.

  4. Disable each of your enabled Panther Packs from the console.

  5. Perform another push from your CI/CD to ensure that everything syncs up as expected.

  6. Once everything is set, you can toggle the We use the Panther Analysis Tool to manage our detections back to ON to prevent users from enabling a Pack in the console.