> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/detections/panther-managed/content-catalog.md).

# Content Catalog (Beta)

{% hint style="warning" %}
The Content Catalog is in closed beta as of Panther version 1.125. To request access, contact your Panther support team.
{% endhint %}

## Overview

The Content Catalog is a page in your Panther Console where you can discover, install, and update individual Panther-managed analysis items. The Content Catalog is intended to eventually replace [Detection Packs](/detections/panther-managed/packs.md) as the primary way to consume Panther-managed content in the Console.

The Content Catalog works similarly to an app store. When you browse the Content Catalog, you are looking at content that is available to install, but that does not yet exist in your environment. When you click **Install** on an item, Panther creates a copy of that item on your Panther instance, which you fully own. From that point on, you can edit any part of the item, including its core logic, just like you can with a custom detection. Panther continues to track the original version of the item, and when a new version is released, the Content Catalog will surface an update for your installed copy.

The Content Catalog supports the following Panther-managed item types:

* Rules, scheduled rules, and correlation rules
* Policies
* Global helpers
* Data models
* Enrichments
* Saved queries and scheduled queries

The Content Catalog has two tabs:

* **Browse**: Lists all Panther-managed items available to install.
* **Installed**: Lists the items you have installed, and indicates which of them have an update available.

## Content Catalog compared to Detection Packs

The Content Catalog and [Detection Packs](/detections/panther-managed/packs.md) are two different ways to consume Panther-managed content in the Panther Console. The most important difference between them is ownership of the installed items.

When you enable a Detection Pack, Panther owns the detections in that Pack. You can edit only a limited set of fields—`Enabled`/`Disabled`, `Severity`, `Deduplication Period`, `Events Threshold`, `Destination Overrides`, and `Runbook`—and the core detection logic (Python, YAML, and unit tests) is read-only in the Panther Console. If you want to change the core logic of a detection in a Pack, you have to [clone it](/detections/panther-managed.md#how-to-clone-a-panther-managed-detection), which creates a separate, unmanaged copy that no longer receives updates from Panther.

When you install an item from the Content Catalog, you fully own that item. The installed copy lives in your environment exactly like a custom item: you can edit its Python, YAML, unit tests, and metadata directly from its details page. No cloning is required to customize it, and the Content Catalog continues to surface updates for it when new versions are released by Panther. Panther tracks if the item has an update using the item's ID. So, you can edit any part of an item except the ID. A different ID is equivalent to a new item entirely.

The table below summarizes the differences:

<table><thead><tr><th width="180">Topic</th><th>Detection Packs</th><th>Content Catalog</th></tr></thead><tbody><tr><td>Ownership of installed items</td><td>Panther owns the items in a Pack.</td><td>You fully own every item you install.</td></tr><tr><td>What you can edit</td><td>Only <code>Enabled</code>/<code>Disabled</code>, <code>Severity</code>, <code>Deduplication Period</code>, <code>Events Threshold</code>, <code>Destination Overrides</code>, and <code>Runbook</code>. Core detection logic is read-only.</td><td>Anything, including Python, YAML, unit tests, and metadata, except the ID.</td></tr><tr><td>Unit of installation</td><td>A whole Pack, which can contain many items. Enabling the Pack enables every detection inside it.</td><td>An individual item. You install items one at a time.</td></tr><tr><td>Customizing further</td><td>Requires cloning the item, which breaks its link to the Pack and stops it from receiving updates.</td><td>Not required. The installed item is already yours and continues to receive updates.</td></tr><tr><td>Receiving updates</td><td>Updates are applied at the Pack level. Updating a Pack updates every detection in it.</td><td>Updates are applied per item. You can update one item at a time, or use <strong>Update All</strong> to apply every available update at once.</td></tr></tbody></table>

Nearly every item available in a Detection Pack is also available individually in the Content Catalog, and the Content Catalog includes additional items that aren't part of any Pack.

### How Detection Packs and the Content Catalog interact

Panther identifies every analysis item by a unique ID, and your environment holds a single record per item. This means that a Pack-managed item and a Content Catalog item with the same ID are the *same underlying record*, not two separate copies. As a result, enabling or updating a Detection Pack can change items you manage through the Content Catalog:

* **Enabling a Pack** that contains an item you own through the Content Catalog converts that item back into a Pack-managed item, overwriting your customizations. Core detection logic (Python), display name, tags, unit tests, description, and log types are all replaced with the Pack's version.
* **Updating an enabled Pack** has the same effect: it overwrites your customizations to the items the Pack contains.
* **Updating a disabled Pack** does not overwrite your customizations.
* **Disabling a Pack** does not delete any items, but it does disable every item the Pack contains—including items you have reinstalled from the Content Catalog as your own.

{% hint style="warning" %}
Once you start using the Content Catalog, we recommend that you stop enabling and updating Detection Packs that contain items you manage through the Catalog, because doing so can overwrite or disable those items. (If you ever need to revert an item to Panther's managed version, you can intentionally re-enable its Pack to do so.)
{% endhint %}

### Moving an item from a Detection Pack to the Content Catalog

To take full ownership of an item that is currently delivered to your environment through a Detection Pack, delete the item, then install it from the Content Catalog. The newly installed item will be fully owned by you, and will receive updates through the Content Catalog going forward.

{% hint style="warning" %}
Deleting an item from a Detection Pack and reinstalling it from the Content Catalog discards any customizations you made to it. You will start from the Panther-managed defaults.

A Packs migration workflow that preserves your customizations is planned for a future Panther release.
{% endhint %}

## Required permissions

The permissions needed to use the Content Catalog match the permissions for the underlying item types. To view items of a given type in the Content Catalog, you need the corresponding read permission. To install, update, or uninstall items, you need the corresponding modify permission.

| Item type                                           | Permission to view       | Permission to install, update, or uninstall |
| --------------------------------------------------- | ------------------------ | ------------------------------------------- |
| Rules, scheduled rules, correlation rules, policies | `RuleRead`, `PolicyRead` | `RuleModify`, `PolicyModify`                |
| Global helpers                                      | `RuleRead`, `PolicyRead` | `RuleModify`, `PolicyModify`                |
| Data models                                         | `LogSourceRead`          | `LogSourceModify`                           |
| Enrichments                                         | `LookupRead`             | `LookupModify`                              |
| Saved queries, scheduled queries                    | `DataAnalyticsRead`      | `DataAnalyticsModify`                       |

## How to use the Content Catalog

* [Browsing and installing Content Catalog items](/detections/panther-managed/content-catalog/browsing-and-installing-catalog-items.md)
* [Updating Content Catalog items](/detections/panther-managed/content-catalog/updating-catalog-items.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.panther.com/detections/panther-managed/content-catalog.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.