Browsing and installing Catalog items

Overview

The Content Catalog is the page in your Panther Console where you can browse all Panther-managed analysis items available for your instance, and install the ones you want into your environment. Installed items are fully owned by you, and behave like any custom item—you can edit, disable, or delete them at any time.

This page explains how to browse available items and install them. To learn how to update items you have already installed, see Updating Content Catalog items.

How to browse Content Catalog items

To browse the items available in the Content Catalog:

1. In the left-hand navigation bar of your Panther Console, click Catalog.

2. Click the Browse tab.

Items in the Browse tab are organized into sub-tabs by content type:

• Detections: Includes rules, scheduled rules, correlation rules, and policies.

• Helpers: Includes global helpers.

• Data Models: Includes data models.

• Enrichments: Includes enrichments, which are Lookup Tables provided by Panther.

• Queries: Includes saved queries and scheduled queries.

You can only see a sub-tab if you have the corresponding read permission for that item type. See Required permissions for details.

Each sub-tab includes filters appropriate to the content type. You can filter:

• Detections by name or description, severity, data source, and type

• Helpers by name or description

• Data Models by name or description, and log type

• Enrichments by name or description, schema, and log type

• Queries by name or description, and type

Items you have already installed are marked as installed in the Browse tab. You can click through to the installed copy to view it on its details page.

How to install a Content Catalog item

To install an item from the Content Catalog:

1. In the left-hand navigation bar of your Panther Console, click Catalog.

2. Click the Browse tab.

3. Click the sub-tab for the type of item you want to install.

4. Locate the item, then click Install.

When you click Install, Panther:

• Creates a copy of the item in your environment that you fully own.

• Identifies and installs any items that the item depends on. For example, installing a rule will also install the global helpers it imports, the data models it references, and (if it is a scheduled rule) the scheduled queries it uses. Installing a correlation rule will also install all of the member rules used in the correlation.

• For detections, runs the item's unit tests before installing it.

• For data models, runs the unit tests for any detections that use the same log type, because changes to a data model can affect those detections.

By default, installed items are enabled.

When an install is blocked

If installing an item would cause unit tests to fail, Panther blocks the install and surfaces the reason. You will need to address the underlying issue—for example, by updating a related item that the new item depends on—before you can install it.

How to view installed Content Catalog items

The Installed tab on the Content Catalog page lists every item you have installed via the Content Catalog. The table includes the item's type, name, and description.

To view your installed items:

1. In the left-hand navigation bar of your Panther Console, click Catalog.

2. Click the Installed tab.

You can filter installed items by:

• Text in the name or ID

• Item type

To view an installed item on its details page, open the actions menu on the right of the row, and click View. From there, you can edit the item exactly like a custom item.

How to uninstall a Content Catalog item

To remove an item that you installed via the Content Catalog:

1. In the left-hand navigation bar of your Panther Console, click Catalog.

2. Click the Installed tab.

3. Locate the item you want to remove.

4. In that item's row, open the actions menu and click Uninstall.

Uninstalling deletes the item from your environment. If you want it back later, you can install it again from the Browse tab. You can delete any Installed item the same way you do a custom item, from its Details page, as well.