Issue

When uploading derived rules using the Panther Analysis Tool (PAT) with the intention of disabling the base rules using the sub-command -auto-disable-base, the base rules remain enabled. What could the issue be here?

Resolution

To resolve this issue and successfully disable the base rules when uploading your derived rules:

1. Ensure that both base and derived rules are present in the same directory during the upload process.

2. Add the following setting to your `.panther_settings.yml` file in the base directory of your repository:

   auto_disable_base: true
   # ... other settings ...

3. When using the PAT upload command, include the entire repository or the directory containing both base and derived rules, rather than individual rule files.

4. Make sure that the upload command doesn't include the argument --filter Enabled=true.

If the issue persists, please contact Panther Support for additional troubleshooting.

Cause

This issue occurs because the disable-base-rule logic in PAT is applied client-side when preparing the upload. PAT gathers all rules to upload, looks for derived rules, then finds the base rules in the upload and turns them off. If the base rule isn't present in the upload, PAT doesn't know it exists and can't disable it.

When uploading rules separately or from different directories, PAT cannot identify the relationship between base and derived rules, resulting in the base rules remaining enabled.

If one or more of your Base Detections has already been uploaded to your Panther instance in an enabled state and you then use one of the above methods to automatically disable Base Detections, ensure you are not including --filter enabled: true on your PAT upload command. If you do, Base Detections will be disabled before upload (when the enabled: true filter is applied), meaning the newly disabled Base Detections won't be re-uploaded to your Panther instance (leaving them as-is, or enabled).