Ctrlk
Knowledge BaseRelease NotesRequest Demo

Content Catalog (Beta)

Browse, install, and update individual Panther-managed analysis items from the Panther Console

The Content Catalog is in closed beta as of Panther version 1.125. To request access, contact your Panther support team.

Overview

The Content Catalog is a page in your Panther Console where you can discover, install, and update individual Panther-managed analysis items. The Content Catalog is intended to eventually replace Detection Packs as the primary way to consume Panther-managed content in the Console.

The Content Catalog works similarly to an app store. When you browse the Content Catalog, you are looking at content that is available to install, but that does not yet exist in your environment. When you click Install on an item, Panther creates a copy of that item on your Panther instance, which you fully own. From that point on, you can edit any part of the item, including its core logic, just like you can with a custom detection. Panther continues to track the original version of the item, and when a new version is released, the Content Catalog will surface an update for your installed copy.

The Content Catalog supports the following Panther-managed item types:

  • Rules, scheduled rules, and correlation rules

  • Policies

  • Global helpers

  • Data models

  • Enrichments

  • Saved queries and scheduled queries

The Content Catalog has two tabs:

  • Browse: Lists all Panther-managed items available to install.

  • Installed: Lists the items you have installed, and indicates which of them have an update available.

Content Catalog compared to Detection Packs

The Content Catalog and Detection Packs are two different ways to consume Panther-managed content in the Panther Console. The most important difference between them is ownership of the installed items.

When you enable a Detection Pack, Panther owns the detections in that Pack. You can edit only a limited set of fields—Enabled/Disabled, Severity, Deduplication Period, Events Threshold, Destination Overrides, and Runbook—and the core detection logic (Python, YAML, and unit tests) is read-only in the Panther Console. If you want to change the core logic of a detection in a Pack, you have to clone it, which creates a separate, unmanaged copy that no longer receives updates from Panther.

When you install an item from the Content Catalog, you fully own that item. The installed copy lives in your environment exactly like a custom item: you can edit its Python, YAML, unit tests, and metadata directly from its details page. No cloning is required to customize it, and the Content Catalog continues to surface updates for it when new versions are released by Panther. Panther tracks if the item has an update using the item's ID. So, you can edit any part of an item except the ID. A different ID is equivalent to a new item entirely.

The table below summarizes the differences:

Topic
Detection Packs
Content Catalog

Ownership of installed items

Panther owns the items in a Pack.

You fully own every item you install.

What you can edit

Only Enabled/Disabled, Severity, Deduplication Period, Events Threshold, Destination Overrides, and Runbook. Core detection logic is read-only.

Anything, including Python, YAML, unit tests, and metadata, except the ID.

Unit of installation

A whole Pack, which can contain many items. Enabling the Pack enables every detection inside it.

An individual item. You install items one at a time.

Customizing further

Requires cloning the item, which breaks its link to the Pack and stops it from receiving updates.

Not required. The installed item is already yours and continues to receive updates.

Receiving updates

Updates are applied at the Pack level. Updating a Pack updates every detection in it.

Updates are applied per item. You can update one item at a time, or use Update All to apply every available update at once.

Nearly every item available in a Detection Pack is also available individually in the Content Catalog, and the Content Catalog includes additional items that aren't part of any Pack.

How Detection Packs and the Content Catalog interact

Panther identifies every analysis item by a unique ID, and your environment holds a single record per item. This means that a Pack-managed item and a Content Catalog item with the same ID are the same underlying record, not two separate copies. As a result, enabling or updating a Detection Pack can change items you manage through the Content Catalog:

  • Enabling a Pack that contains an item you own through the Content Catalog converts that item back into a Pack-managed item, overwriting your customizations. Core detection logic (Python), display name, tags, unit tests, description, and log types are all replaced with the Pack's version.

  • Updating an enabled Pack has the same effect: it overwrites your customizations to the items the Pack contains.

  • Updating a disabled Pack does not overwrite your customizations.

  • Disabling a Pack does not delete any items, but it does disable every item the Pack contains—including items you have reinstalled from the Content Catalog as your own.

Once you start using the Content Catalog, we recommend that you stop enabling and updating Detection Packs that contain items you manage through the Catalog, because doing so can overwrite or disable those items. (If you ever need to revert an item to Panther's managed version, you can intentionally re-enable its Pack to do so.)

Moving an item from a Detection Pack to the Content Catalog

To take full ownership of an item that is currently delivered to your environment through a Detection Pack, delete the item, then install it from the Content Catalog. The newly installed item will be fully owned by you, and will receive updates through the Content Catalog going forward.

Deleting an item from a Detection Pack and reinstalling it from the Content Catalog discards any customizations you made to it. You will start from the Panther-managed defaults.

A Packs migration workflow that preserves your customizations is planned for a future Panther release.

Required permissions

The permissions needed to use the Content Catalog match the permissions for the underlying item types. To view items of a given type in the Content Catalog, you need the corresponding read permission. To install, update, or uninstall items, you need the corresponding modify permission.

Item type
Permission to view
Permission to install, update, or uninstall

Rules, scheduled rules, correlation rules, policies

RuleRead, PolicyRead

RuleModify, PolicyModify

Global helpers

RuleRead, PolicyRead

RuleModify, PolicyModify

Data models

LogSourceRead

LogSourceModify

Enrichments

LookupRead

LookupModify

Saved queries, scheduled queries

DataAnalyticsRead

DataAnalyticsModify

How to use the Content Catalog

Last updated

Was this helpful?