Detections
Use detections to analyze data and trigger alerts on suspicious behavior
Last updated
Was this helpful?
Use detections to analyze data and trigger alerts on suspicious behavior
Last updated
Was this helpful?
Detections are segments of logic run over real-time or historical log events, to identify suspicious behavior and generate signals, and optionally alerts. Your team can leverage detections-as-code by creating detections in Python, or use Panther's features to collaborate on detection creation and management, no matter your level of technical expertise.
There are four types of detections:
Rules: Detect suspicious activity in security logs in real-time.
In the Console, rules can be created by using the Simple Detection builder, or by writing Python.
In the CLI workflow, rules can be written in Simple Detections YAML or Python.
For more information, see Rules and Scheduled Rules.
Scheduled Rules: Run against results from scheduled queries on your data lake.
In the Console, scheduled rules can be created by writing Python.
In the CLI workflow, scheduled rules can be created by writing Python.
For more information, see Rules and Scheduled Rules.
Correlation rules: Detect when a group or sequence of events has occurred.
In the Console, correlation rules can be created by .
In the CLI workflow, correlation rules can be created by .
For more information, see Correlation Rules.
Policies: Scan and evaluate cloud infrastructure configurations to identify misconfigurations.
In the Console, policies can be created by writing Python.
In the CLI workflow, policies can be created by writing Python.
For more information, see Policies.
When there's a match on a rule, scheduled rule, or correlation rule, a signal is created—and, if alerting is enabled, a rule match. Policies, on each match, generate a compliance failure.
You can create and manage Panther detections using one of the following methods:
Panther Console
Construct your own detections in the Console using the Simple Detection builder, or by writing Python.
Enable Panther-managed Python detections (individually, or in Detection Packs) to get started quickly, with no additional configuration necessary.
Write detections locally as either Simple Detections or Python detections.
Learn more about managing Panther detections using a Continuous Integration and Continuous Deployment workflow in our CI/CD Guide.
CLI workflows include using Panther Analysis Tool (PAT), an open source utility for testing, packaging, and deploying Panther detections from source code.
The quickest way to start detecting threats with Panther is to turn on the already written Panther-managed detections that come with your Panther instance. These built-in rules and policies are applicable to various log sources, and Panther periodically releases improvements to their core detection logic. Panther-managed rules can be customized using Rule Filters, or you can clone them and edit the detection logic of the cloned version to suit your exact needs.
It's also possible to quickly generate rules in Panther by converting Sigma rules.
If you'd rather create your own detections from scratch, learn how on the following pages:
Simple Detections refers to the set of Panther features that makes it easy for users with all levels of technical skill to create and manage detections in Panther. These features include:
Simple Detection builder: In the Panther Console, you can use the Simple Detection builder to create and edit rules without writing code.
Simple Detections written in the CLI workflow: When you write Simple Detections in the CLI workflow (in YAML), then upload them to Panther, they will be represented in the Panther Console in the Simple Detection builder.
Together, these features allow team members with various levels of YAML experience to understand and collaborate on detections.
Panther’s Schemas provide helpful information on the types of fields contained within your data, which makes it easier to understand how to interact with your data when writing a Detection.
Schema definitions can be found in:
Panther's documentation
See schemas for each integration within the Supported Logs section of the documentation. Find more information about Custom Log schemas in Custom Logs.
The Panther Console
Log in to the Panther Console and navigate to Data > Schemas.
Data Explorer makes it easier to understand and investigate data, location of data, and data types when writing Python code. It contains all the data Panther parses from your log sources and stores the data in tables.
Explore and find log events by searching the relevant table for the log type you are interested in writing a detection for.
You can preview example table data without writing SQL. To generate a sample SQL query for that log source, click the eye icon next to the table type:
When the query has produced results, you will see the example log events in the Results table. You can download these as a CSV file.
To copy the log event to be used in Unit Tests while writing detections, click View JSON.
This section previously explained how signals and alerts differ from "rule matches." Panther will stop writing to panther_rule_matches, panther_rule_errors, and panther_views in June 2025. Data written to these locations is already being concurrently written to a new location, and no historical data will be lost. Learn more about the change in this Knowledge Base article.
Each time there is a match on a rule, scheduled rule, or correlation rule:
A signal is generated. This is true regardless of any configuration set on the rule, scheduled rule, or correlation rule.
If the rule, scheduled rule, or correlation rule has alerting enabled (i.e., in the Console, Create Alert is set to ON, or in the CLI workflow CreateAlert is set to true), an alert is generated (according to the detection's event threshold and deduplication configurations). If alerting is disabled for the detection, an alert is not generated.
Each time there is a match on a policy, a compliance failure is created (and not a signal). Policies cannot be configured to disable alerting.
Rule matches can trigger alerts according to the detection's event threshold and deduplication configurations. Alerts are then based on configurations on the detection and destination. Learn more about the .
You'll need to decide whether you'd like to . Then you can get started .
If you use —the set of features that allows users of varying technical skill to create and edit detections—it is possible to use both the Panther Console and the CLI workflow to collaborate on detections, to an extent. Learn more in .
You may want to get started quickly by enabling in the Panther Console, but then later transition to using the CI/CD workflow. (Using both the Console and CI/CD workflows simultaneously is not supported.) To migrate your workflow to CI/CD, follow the instructions on Migrating to a CI/CD Workflow.
Inline Filters are conditional statements that are evaluated before a detection's rule function. You can apply Inline Filters to easily tune detections, including . A filter must return true (i.e., match the event) for the rule function, which is written in code, to then be run. Based on the detection's log type, you can select a field to filter on. From there, you will specify the operator and, if applicable, input a value. To learn more, see Modifying Detections with Inline Filters.
