Using Panther-managed Detections

Enable prewritten detections, with the option to customize

Overview

Panther comes with a number of out-of-the-box Python detections, called Panther-managed detections. Panther has written the core logic of these detections and periodically releases improvements for them. Using Panther-managed detections not only saves you the effort of having to write your own from scratch, but also provides the ongoing benefit of receiving improvements to core detection logic over time, as Panther releases new versions.

A Panther-managed detection can be:

You can work with Panther-managed detections in your Panther Console, or by using Panther CLI workflows.

Most Panther-managed detections are contained within Detection Packs—logical groupings of detections—though some aren't, typically because they require some additional configuration, such as adding custom values to an allowlist or denylist. Excluding these detections from Packs reduces the likelihood of them being enabled without the required configuration and generating false positive alerts. Some examples of Panther-managed detections that are not in a Pack are:

Currently, only Python Panther-managed detections are available for you to clone, modify and upload. Panther-managed Simple Detections are planned for a future release.

How to use Panther-managed detections

Viewing available Panther-managed detections

The full list of Panther-managed detections is viewable on Panther's website, as well as in the Console and on GitHub, as explained below.

Viewing available Panther-managed detections in the Panther Console

You can view Panther-managed detections in your Console:

  1. In the left-hand navigation bar of your Panther Console, click Detections.

  2. Click Filters icon.

  3. In the Created by filter, choose Created by Panther.

  4. Optionally, select the rule Data Sources you'd like to view detections for.

  5. Click Apply Filters.

Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.

Enabling and disabling Panther-managed detections

Panther-managed detections can be enabled and disabled in your Panther Console or by using Panther CLI workflows:

Enabling and disabling Panther-managed detections in the Panther Console

Panther-managed detections can be enabled and disabled in your Panther Console.

To enable or disable a Panther-managed detection from the detections list page:

  1. In the left-hand navigation bar of your Panther Console, click Detections.

    • Find the Panther-managed detection you'd like to enable or disable.

  2. At the top of the page, click Enable or Disable.

To enable or disable a Panther-managed detection from its details page:

  1. In the left-hand navigation bar of your Panther Console, click Detections.

    • Find the Panther-managed detection you'd like to enable or disable.

  2. Click the detection's name, to be taken to its details page.

  3. In the upper right corner, switch the Enabled toggle ON or OFF.

  4. In the upper right corner, click Update.

Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.

Update or roll back a Panther-managed detection

To update your Panther-managed detection when Panther releases a new version (or revert to a previous one), follow the Update or roll back Detection Pack instructions on Detection Packs.

Note that only those Panther-managed detections included in Detection Packs are versioned, and therefore eligible to be updated or rolled back.

How to customize a Panther-managed detection

You can customize a Panther-managed detection by adding Inline Filters, modifying its editable fields, or using detection inheritance. These options allow you to add your own tuning and customizations while still receiving updates to core detection logic from Panther.

If you need to modify the core rule logic of a Panther-managed detection (which is read-only), you can alternatively clone and edit it. Because a cloned detection is managed by you, not Panther, it won't receive Panther's improvements to core detection logic over time. For this reason, we recommend using the customization techniques outlined in this section, if possible.

Inline Filters

You can easily tune Panther-managed rules by adding Rule Filters. See Modifying Detections with Inline Filters for detailed instructions.

Inline Filters will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.

Note that Inline Filters are applicable only to rules, not policies nor scheduled rules.

Editable fields

Panther-managed detections, while disallowing you from editing core detection logic, do allow you to customize certain metadata fields in the Panther Console. (All other fields will be greyed out in the Panther Console, and the Rule Function and Unit Test editors will be read-only.) These editable fields include:

  • Enabled / Disabled

  • Severity

  • Deduplication Period

  • Events Threshold

  • Destination Overrides

  • Runbook

Any changes made to these fields in the Panther Console will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.

You can make changes to the editable fields in the Panther Console:

  1. In the left-hand navigation bar of your Panther Console, click Build > Detections.

  2. Locate the detection you want to edit, then click on its name to be brought to its details page.

  3. Scroll down to the Set Alert Fields section.

  4. Make any desired changes to the detection.

    • Fields that are not editable will be greyed out.

  5. Click Update in the upper right side of the page to save your changes.

Detection inheritance

With detection inheritance, you can use Panther-managed detections as Base Detections, from which you can create your own Derived Detections. Derived Detections inherit the Base Detection's core logic, which is immutable, as well as its metadata field values, which can be overwritten.

For more information, see Detection Inheritance.

How to clone a Panther-managed detection

If a Panther-managed detection doesn't fit your needs, you can clone it, then edit the cloned copy:

  1. In the left-hand navigation bar of your Panther Console, click Build > Detections.

  2. Locate the detection you want to edit, then click on its name.

  3. You will be redirected to the standard detection creation interface. Optionally update the cloned detection's Name.

    • The name of a cloned detection, by default, will have (Copy) appended to it.

  4. In the upper-right corner, click Continue.

  5. On the cloned detection's details page, make any desired changes to your cloned copy of the detection.

    • The Enabled toggle will default to the enabled status of the original detection, i.e., if the Panther-managed detection was disabled, the toggle will be set to OFF.

Note that cloning and editing a detection does not changed the Enabled status of the original detection. This means if the original Panther-managed detection was enabled but you intend for your customized copy to replace it, you must go back and disable the Panther-managed detection.

The cloned detection will not be managed by Panther or receive continuous updates (as Panther-managed detections included in Detection Packs do). The original version of the detection (if contained in a Pack) will continue to receive updates as normal, whether it is enabled or disabled.

Alert runbooks for Panther-managed detections

An alert runbook is a set of directions for remediating an issue that triggered an alert. Panther provides alert runbooks for a number of Panther-managed policies and rules—find them in Alert Runbooks.

Last updated