Why are some of my panther-analysis rules tagged as "Beta"?

Last updated: May 12, 2025

Starting in panther-analysis release v3.77.0, most new rules are released in a "beta" stage before they are refined and considered production-ready. While in this stage, rules will have a "Beta" tag and be set to INFO-level severity.

This means that, if enabled, the rules will process incoming logs but not generate open alerts that need triaging.

Can I use beta rules?

You can enable beta rules and choose to receive alerts from them by changing the severity of the rule from INFO to a higher value.

Note, however, that rules in the beta phase often require additional tuning before being generally available, and so you may experience higher-than-average alert volumes when using beta rules.

What is different now from before Panther had beta rules?

This change is intended to make Panther-managed detections more reliable and stable.

In the past, the lack of a beta phase meant that rules that performed well in Panther's Threat Research sandbox testing could fail at scale when exposed to production log data. With a beta phase, these rules can process production log data and their performance can be evaluated without impacting the efficacy of your security pipeline.

Can I create my own beta rules?

Panther isn't doing anything special under-the-hood when processing beta rules. The key attributes involved with the "Beta" status are:

  • The beta tag (which is just for aesthetic purposes)

  • The INFO-level severity, which causes any alerts generated to be closed automatically

If you want to adopt a similar paradigm, you can simply use the same tag and severity.

How long will new rules remain in beta?

The length of time each rule remains in beta will vary, but will typically be at least a few weeks. Rules requiring additional tuning may take longer to exit the beta stage, as time is required after each tuning attempt to verify if the changes are effective.

Will rules that graduate from beta phase ever be updated in the future?

Yes, rules that are no longer in the beta phase may still be updated in the future. For example, log formats may change, requiring updates to the rule to accommodate upstream changes. However, you can expect the likelihood and frequency of changes to rules to decrease after a rule leaves the beta phase.