PyPanther Detections (Beta)
Configure detections fully in Python
Overview
PyPanther Detections are in closed beta starting with Panther version 1.108. Please share any bug reports and feature requests with your Panther support team.
PyPanther Detections are Panther’s evolved approach to detections-as-code. In this framework, detections are defined fully in Python, enabling component reusability and simple rule overrides. The foundation of PyPanther Detections is the Panther-managed pypanther
Python library.
Learn about PyPanther key features, benefits, and differences from the v1 detection format on this page—then, start creating PyPanther Detections.
Key features
An entirely Python-native experience for importing, writing, modifying, testing, and uploading rules—eliminating the need to manage a fork or clone of panther-analysis.
The ability to apply custom configurations to Panther-managed rules through overrides, filters, and inheritance.
The ability to selectively choose the set of rules you want to include in your Panther deployment package.
Benefits
PyPanther Detections have the following benefits:
No upstream merge conflicts: In the v1 model, merge conflicts can arise when syncing your customized fork of
panther-analysis
with the upstream repository. In this PyPanther model, Panther-managed rules exist separately from your rule configurations, eliminating the possibility of merge conflicts.Full flexibility and composability: This feature offers complete flexibility in rule creation, enabling full modularity, composability, the ability to override any rule attribute, and full Python inheritance—all providing a customizable and user-centric experience.
First-class developer experience: Backed by a portable, open-source Python library called
pypanther
, this framework provides a superior local development experience by hooking into native applications and developer workflows. This library can also be loaded into any Python environment, such as Jupyter Notebooks.
PyPanther Detections vs. v1 detections
This documentation uses the term "v1 detections," which refers to rules created in the format described in Writing Python Detections. PyPanther Detections are sometimes referred to as "v2 detections."
Panther has developed a tool that translates detections from v1 to PyPanther format—see the convert
command on Using the pypanther Command Line Tool.
PyPanther Detections differ from v1 detections in the following areas:
File structure: A rule in the v1 framework requires two files: a Python file to define rule logic and dynamic alerting functions and a YAML file to set metadata. A PyPanther rule is written entirely in Python.
This singular rule definition in a Python class—which contains all functions, properties, and helpers—enables overrides and composability.
Process for retrieving Panther-managed detections: In v1 detections, you must periodically sync your copy of
panther-analysis
with upstream changes. With PyPanther Detections, however, no Git syncing is required—the latest Panther-managed content is always available in thepypanther
Python library.Packs: Panther-managed v1 detections are bundled in Detection Packs. With PyPanther Detections, you can choose which detections you want to include in your Panther instance using
get_panther_rules()
(or direct imports) withregister()
.
The same detection, Box.New.Login
is defined below in both versions:
Limitations of PyPanther Detections
PyPanther Detections are currently designed for real-time rules developed in the CLI workflow.
While PyPanther Detections are evolving rapidly, they currently have the following limitations:
(Planned) It’s not possible to define new custom Lookup Tables.
It is possible to reference data from existing custom Lookup Tables, as well as Panther-managed Enrichment Providers.
(Planned) No support for Policies, Scheduled Rules, Simple Rules, Correlation Rules.
Only rules (or “real-time rules”) are supported in the PyPanther framework.
(Planned) It’s not possible to use Data Replay in the CLI or Console workflows.
(Planned) It’s not possible to define your own data models.
It is possible to reference Panther-managed data models in the
pypanther
library, usingevent.udm()
.
Library version pinning and declaring custom dependencies from the repository are not supported.
It’s not possible to edit PyPanther Detections in the Panther Console.
The CLI tool used with PyPanther Detections,
pypanther
, does not have all of the commandspanther_analysis_tool
does.See a list of available
pypanther
commands on Using the pypanther CLI Tool.
There are limitations on the functionality of the
upload
command. See theupload
limitations section.
Getting started using PyPanther Detections
See the pypanther-starter-kit repository, containing PyPanther Detection examples, which you can clone to quickly get up and running. Get started by following the setup instructions in the repository's README.
Learn more about how to modify Panther-managed PyPanther Detections and create your own on Creating PyPanther Detections.
Last updated
Was this helpful?