Using Panther-managed Detections
Enable prewritten detections, with the option to customize
Panther comes with a number of out-of-the-box detections, called Panther-managed detections. Panther has written the core logic of these detections and periodically releases improvements for them. A Panther-managed rule can be tailored to meet your precise need by easily tuning it with Rule Filters. You can work with Panther-managed detections in your Panther Console, or by using Panther Developer Workflows.
Using Panther-managed detections not only saves you the effort of having to write your own from scratch, but also provides the ongoing benefit of receiving improvements to core detection logic over time, as Panther releases new versions.
Most Panther-managed detections are contained within Detection Packs—logical groupings of detections—though some aren't, typically because they require some additional configuration, such as adding custom values to an allowlist or denylist. Excluding these detections from Packs reduces the likelihood of them being enabled without the required configuration and generating false positive alerts. Some examples of Panther-managed detections that are not in a Pack are:
The full list of Panther-managed detections is viewable on Panther's website, as well as in the Console and on GitHub, as explained below.
Panther Console
GitHub
You can view Panther-managed detections in your Console:
- 1.Log in to your Panther Console.
- 2.Navigate to Build > Detections.
- 3.In the upper right corner, click Filters.
- In the Created by filter, choose Created by Panther.
- Optionally, select the Log Types you'd like to view detections for.
- Click Apply Filters.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.
You can view all Panther-managed detections in Panther's public panther-analysis GitHub repository. They are located in the rules and policies subdirectories.
Panther-managed detections can be enabled and disabled in your Panther Console or by using Panther Developer Workflows.
Panther Console
Panther Developer Workflows
Panther-managed detections can be enabled and disabled in your Panther Console.
To enable or disable a Panther-managed detection from the detections list page:
- 1.Log in to your Panther Console.
- 2.Navigate to Build > Detections.
- Find the Panther-managed detection you'd like to enable or disable.
- 3.To the left of the detection name, click the checkbox.
- 4.At the top of the page, click Enable or Disable.
To enable or disable a Panther-managed detection from its details page:
- 1.Log in to your Panther Console.
- 2.Navigate to Build > Detections.
- Find the Panther-managed detection you'd like to enable or disable.
- 3.Click the detection's name, to be taken to its details page.
- 4.In the upper right corner, click Edit.
- 5.In the upper right corner, switch the Enabled toggle ON or OFF.
- 6.In the upper right corner, click Update.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.
Learn how to enable and disable Panther-managed detections using the Panther Developer Workflow in Using the Panther detections repo.
To update your Panther-managed detection when Panther releases a new version (or revert to a previous one), follow the Update or roll back Detection Pack instructions on Detection Packs.
Note that only those Panther-managed detections included in Detection Packs are versioned, and therefore eligible to be updated or rolled back.
You can customize a Panther-managed detection by adding Rule Filters or modifying its editable fields. For Panther-managed detections included in Detection Packs, this means you can add your own tuning while still being able to upgrade your detections as Panther releases updates to core detection logic.
If you need to modify the core rule logic of a Panther-managed detection (which is read-only), you can alternatively clone and edit it. Because a cloned detection is managed by you, not Panther, it won't receive Panther's improvements to core detection logic over time. For this reason, we recommend using the customization techniques outlined in this section, if possible.
You can easily tune Panther-managed rules by adding Rule Filters. See Modifying Detections with Rule Filters for detailed instructions.
Rule Filters will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
Note that Rule Filters are applicable only to rules, not policies nor scheduled rules.
Panther-managed detections, while disallowing you from editing core detection logic, do allow you to customize certain metadata fields in the Panther Console. (All other fields will be greyed out in the Panther Console, and the Rule Function and Unit Test editors will be read-only.) These editable fields include:
- Enabled / Disabled
- Severity
- Deduplication Period
- Events Threshold
- Destination Overrides
Any changes made to these fields in the Panther Console will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
You can make changes to the editable fields in the Panther Console:
- 1.Log in to your Panther Console.
- 2.Navigate to Build > Detections.
- 3.Locate the detection you want to edit, then click on its name to be brought to its details page.
- 4.On the detection's details page, click Edit in the upper right side.
- You will be presented with all the fields that you can edit.
- 5.Click Update in the upper right side of the page to save your changes.
If a Panther-managed detection doesn't fit your needs, you can clone it, then edit the cloned copy:
- 1.Log in to your Panther Console.
- 2.Navigate to Build > Detections.
- 3.Locate the detection you want to edit, then click on the detection.
- 4.In the page that opens, click Clone & edit in the upper right.
- 5.You will be redirected to the standard detection creation interface. Here, make any desired changes to your cloned copy of the detection. Note the following:
- The display name of a cloned detection will have
(Copy)appended to it. - The Enabled toggle will default to the enabled status of the original detection, i.e., if the Panther-managed detection was disabled, the toggle will be set to OFF.
- 6.Click Save in the upper right.
Note that cloning and editing a detection does not changed the Enabled status of the original detection. This means if the original Panther-managed detection was enabled but you intend for your customized copy to replace it, you must go back and disable the Panther-managed detection.
The cloned detection will not be managed by Panther or receive continuous updates (as Panther-managed detections included in Detection Packs do). The original version of the detection (if contained in a Pack) will continue to receive updates as normal, whether it is enabled or disabled.
An alert runbook is a set of directions for remediating an issue that triggered an alert. Panther provides alert runbooks for a number of Panther-managed policies and rules—find them in Alert Runbooks.
Last modified 8d ago