Using Panther-managed Detections
Enable prewritten detections, with the option to customize
Overview
Panther comes with a number of out-of-the-box Python detections, called Panther-managed detections. Panther has written the core logic of these detections and periodically releases improvements for them. Using Panther-managed detections not only saves you the effort of having to write your own from scratch, but also provides the ongoing benefit of receiving improvements to core detection logic over time, as Panther releases new versions.
A Panther-managed detection can be:
Enabled and tuned with Inline Filters and/or its editable fields
Used as a Base Detection with detection derivation
Cloned and edited (cloned detections are not managed by Panther and do not receive continuous updates)
You can work with Panther-managed detections in your Panther Console, or by using Panther CLI workflows.
Most Panther-managed detections are contained within Detection Packs—logical groupings of detections—though some aren't, typically because they require some additional configuration, such as adding custom values to an allowlist or denylist. Excluding these detections from Packs reduces the likelihood of them being enabled without the required configuration and generating false positive alerts. Some examples of Panther-managed detections that are not in a Pack are:
Currently, only Python Panther-managed detections are available for you to clone, modify and upload. Panther-managed Simple Detections are planned for a future release.
How to use Panther-managed detections
Viewing available Panther-managed detections
The full list of Panther-managed detections is viewable on Panther's website, as well as in the Console and on GitHub, as explained below.
Viewing available Panther-managed detections in the Panther Console
You can view Panther-managed detections in your Console:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
In the upper right corner, click Filters.
Optionally, select the Log Types you'd like to view detections for.
Click Apply Filters.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.
Enabling and disabling Panther-managed detections
Panther-managed detections can be enabled and disabled in your Panther Console or by using Panther CLI workflows:
Enabling and disabling Panther-managed detections in the Panther Console
Panther-managed detections can be enabled and disabled in your Panther Console.
To enable or disable a Panther-managed detection from the detections list page:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Find the Panther-managed detection you'd like to enable or disable.
At the top of the page, click Enable or Disable.
To enable or disable a Panther-managed detection from its details page:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Find the Panther-managed detection you'd like to enable or disable.
Click the detection's name, to be taken to its details page.
In the upper right corner, switch the Enabled toggle ON or OFF.
In the upper right corner, click Update.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.
Update or roll back a Panther-managed detection
To update your Panther-managed detection when Panther releases a new version (or revert to a previous one), follow the Update or roll back Detection Pack instructions on Detection Packs.
Note that only those Panther-managed detections included in Detection Packs are versioned, and therefore eligible to be updated or rolled back.
How to customize a Panther-managed detection
You can customize a Panther-managed detection by adding Inline Filters, modifying its editable fields, or using detection inheritance. These options allow you to add your own tuning and customizations while still receiving updates to core detection logic from Panther.
If you need to modify the core rule logic of a Panther-managed detection (which is read-only), you can alternatively clone and edit it. Because a cloned detection is managed by you, not Panther, it won't receive Panther's improvements to core detection logic over time. For this reason, we recommend using the customization techniques outlined in this section, if possible.
Inline Filters
You can easily tune Panther-managed rules by adding Rule Filters. See Modifying Detections with Inline Filters for detailed instructions.
Inline Filters will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
Note that Inline Filters are applicable only to rules, not policies nor scheduled rules.
Editable fields
Panther-managed detections, while disallowing you from editing core detection logic, do allow you to customize certain metadata fields in the Panther Console. (All other fields will be greyed out in the Panther Console, and the Rule Function and Unit Test editors will be read-only.) These editable fields include:
Enabled / Disabled
Severity
Deduplication Period
Events Threshold
Destination Overrides
Runbook
Any changes made to these fields in the Panther Console will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
You can make changes to the editable fields in the Panther Console:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Locate the detection you want to edit, then click on its name to be brought to its details page.
Scroll down to the Set Alert Fields section.
Make any desired changes to the detection.
Fields that are not editable will be greyed out.
Click Update in the upper right side of the page to save your changes.
Detection inheritance
With detection inheritance, you can use Panther-managed detections as Base Detections, from which you can create your own Derived Detections. Derived Detections inherit the Base Detection's core logic, which is immutable, as well as its metadata field values, which can be overwritten.
For more information, see Detection Inheritance.
How to clone a Panther-managed detection
If a Panther-managed detection doesn't fit your needs, you can clone it, then edit the cloned copy:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Locate the detection you want to edit, then click on its name.
You will be redirected to the standard detection creation interface. Optionally update the cloned detection's Name.
The name of a cloned detection, by default, will have
(Copy)appended to it.
In the upper-right corner, click Continue.
On the cloned detection's details page, make any desired changes to your cloned copy of the detection.
The Enabled toggle will default to the enabled status of the original detection, i.e., if the Panther-managed detection was disabled, the toggle will be set to OFF.
Note that cloning and editing a detection does not changed the Enabled status of the original detection. This means if the original Panther-managed detection was enabled but you intend for your customized copy to replace it, you must go back and disable the Panther-managed detection.
The cloned detection will not be managed by Panther or receive continuous updates (as Panther-managed detections included in Detection Packs do). The original version of the detection (if contained in a Pack) will continue to receive updates as normal, whether it is enabled or disabled.
Alert runbooks for Panther-managed detections
An alert runbook is a set of directions for remediating an issue that triggered an alert. Panther provides alert runbooks for a number of Panther-managed policies and rules—find them in Alert Runbooks.
Last updated
