Using Panther-managed Detections
Enable prewritten detections, with the option to customize
Last updated
Was this helpful?
Enable prewritten detections, with the option to customize
Last updated
Was this helpful?
Panther comes with a number of out-of-the-box Python detections, called Panther-managed detections. Panther has written the core logic of these detections and periodically releases improvements for them. Using Panther-managed detections not only saves you the effort of having to write your own from scratch, but also provides the ongoing benefit of receiving improvements to core detection logic over time, as Panther releases new versions.
A Panther-managed detection can be:
Enabled and tuned with and/or its
Used as a Base Detection with
(cloned detections are not managed by Panther and do not receive continuous updates)
You can work with Panther-managed detections in your Panther Console, or by using .
Most Panther-managed detections are contained within —logical groupings of detections—though some aren't, typically because they require some additional configuration, such as adding custom values to an allowlist or denylist. Excluding these detections from Packs reduces the likelihood of them being enabled without the required configuration and generating false positive alerts. Some examples of Panther-managed detections that are not in a Pack are:
The full list of Panther-managed detections is viewable in the Console and on GitHub, as explained below.
You can view Panther-managed detections in your Console:
In the left-hand navigation bar of your Panther Console, click Detections.
Click Filters icon.
In the Created by filter, choose Created by Panther.
Optionally, select the rule Data Sources you'd like to view detections for.
Click Apply Filters.
Panther-managed detections can be enabled and disabled in your Panther Console or by using Panther CLI workflows:
Panther-managed detections can be enabled and disabled in your Panther Console.
To enable or disable a Panther-managed detection from the detections list page:
In the left-hand navigation bar of your Panther Console, click Detections.
Find the Panther-managed detection you'd like to enable or disable.
At the top of the page, click Enable or Disable.
To enable or disable a Panther-managed detection from its details page:
In the left-hand navigation bar of your Panther Console, click Detections.
Find the Panther-managed detection you'd like to enable or disable.
Click the detection's name, to be taken to its details page.
In the upper right corner, switch the Enabled toggle ON or OFF.
In the upper right corner, click Update.
Note that only those Panther-managed detections included in Detection Packs are versioned, and therefore eligible to be updated or rolled back.
Inline Filters will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
Note that Inline Filters are applicable only to rules, not policies nor scheduled rules.
Panther-managed detections, while disallowing you from editing core detection logic, do allow you to customize certain metadata fields in the Panther Console. (All other fields will be greyed out in the Panther Console, and the Rule Function and Unit Test editors will be read-only.) These editable fields include:
Enabled / Disabled
Severity
Deduplication Period
Events Threshold
Destination Overrides
Runbook
Any changes made to these fields in the Panther Console will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
You can make changes to the editable fields in the Panther Console:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Locate the detection you want to edit, then click on its name to be brought to its details page.
Scroll down to the Set Alert Fields section.
Make any desired changes to the detection.
Fields that are not editable will be greyed out.
Click Update in the upper right side of the page to save your changes.
With detection inheritance, you can use Panther-managed detections as Base Detections, from which you can create your own Derived Detections. Derived Detections inherit the Base Detection's core logic, which is immutable, as well as its metadata field values, which can be overwritten.
If a Panther-managed detection doesn't fit your needs, you can clone it, then edit the cloned copy:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Locate the detection you want to edit, then click on its name.
You will be redirected to the standard detection creation interface. Optionally update the cloned detection's Name.
The name of a cloned detection, by default, will have (Copy) appended to it.
In the upper-right corner, click Continue.
On the cloned detection's details page, make any desired changes to your cloned copy of the detection.
The Enabled toggle will default to the enabled status of the original detection, i.e., if the Panther-managed detection was disabled, the toggle will be set to OFF.
Note that cloning and editing a detection does not changed the Enabled status of the original detection. This means if the original Panther-managed detection was enabled but you intend for your customized copy to replace it, you must go back and disable the Panther-managed detection.
The cloned detection will not be managed by Panther or receive continuous updates (as Panther-managed detections included in Detection Packs do). The original version of the detection (if contained in a Pack) will continue to receive updates as normal, whether it is enabled or disabled.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones ), contact your Panther support team for help loading it in.
You can view all Panther-managed detections in Panther's public GitHub repository. They are located in the and subdirectories.
To the left of the detection name, click the checkbox.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones ), contact your Panther support team for help loading it in.
Learn how to enable and disable Panther-managed detections using the CLI workflow in .
To update your Panther-managed detection when Panther releases a new version (or revert to a previous one), follow the .
You can customize a Panther-managed detection by adding , modifying its , or using . These options allow you to add your own tuning and customizations while still receiving updates to core detection logic from Panther.
If you need to modify the core rule logic of a Panther-managed detection (which is read-only), you can alternatively . Because a cloned detection is managed by you, not Panther, it won't receive Panther's improvements to core detection logic over time. For this reason, we recommend using the customization techniques outlined in this section, if possible.
You can easily tune Panther-managed rules by adding Rule Filters. See for detailed instructions.
For more information, see .
In the upper right corner of the detection's details page, click the three dots > Clone.
In the upper-right corner, click Save.
An alert runbook is a set of directions for remediating an issue that triggered an alert. Panther provides alert runbooks for a number of Panther-managed policies and rules—find them in .
