Last updated
Was this helpful?
Last updated
Was this helpful?
PyPanther Detections are Panther’s evolved approach to detections-as-code. In this framework, detections are defined fully in Python, enabling component reusability and simple rule overrides. The foundation of PyPanther Detections is the .
Learn about PyPanther key features, benefits, and differences from the v1 detection format on this page—then, start in the CLI workflow or .
An entirely Python-native experience for importing, writing, modifying, testing, and uploading rules—eliminating the need to manage a fork or clone of .
The ability to apply custom configurations to Panther-managed rules through , , and .
The ability to selectively choose the set of rules you want to include in your Panther deployment package.
PyPanther Detections have the following benefits:
Full flexibility and composability: PyPanther offers complete flexibility in rule creation, enabling full modularity, composability, the ability to override any rule attribute, and full Python inheritance—all providing a customizable and user-centric experience.
PyPanther Detections differ from v1 detections in the following areas:
The same detection, Box.New.Login is defined below in both versions:
While PyPanther Detections are evolving rapidly, they currently have the following limitations:
Only rules (or “real-time rules”) are supported in the PyPanther framework.
Library version pinning and declaring custom dependencies from the repository are not supported.
No upstream merge conflicts: Working in the CLI workflow in the , merge conflicts can arise when syncing your customized fork of panther-analysis with the upstream repository. In PyPanther, Panther-managed rules exist separately from your rule configurations, eliminating the possibility of merge conflicts.
First-class developer experience: Backed by a portable, , this framework provides a superior local development experience by hooking into native applications and developer workflows. This library can also be loaded into any Python environment, such as Jupyter Notebooks.
This documentation uses the term "v1 detections," which refers to rules created in the format described in . PyPanther Detections are sometimes referred to as "v2 detections."
File structure: Working in the CLI workflow, a rule in the requires two files: a Python file to define rule logic and and a YAML file to set metadata. A PyPanther rule is written entirely in a single Python class containing all functions, properties, and helpers.
Process for retrieving Panther-managed detections: In v1 detections, you must periodically sync your copy of panther-analysis with upstream changes. With PyPanther Detections, no Git syncing is required—the latest Panther-managed content is always available in the .
Packs: Panther-managed v1 detections are bundled in . With PyPanther Detections, you can choose which detections you want to include in your Panther instance using (or direct imports) with .
(Planned) It’s not possible to define new .
It is possible to reference data from existing custom Lookup Tables, as well as .
(Planned) No support for , , , .
(Planned) It’s not possible to use in the CLI or Console workflows.
(Planned) It’s not possible to define your own .
It is possible to reference in the , using event.udm().
The CLI tool used with PyPanther Detections, pypanther, does not have all of .
See a list of available pypanther commands on .
There are additional limitations on the functionality of the upload command. See the .
There are additional limitations when managing PyPanther Detections in the Panther Console. See the .
See the , containing PyPanther Detection examples, which you can clone to quickly get up and running. Get started by following the setup instructions in the repository's .
Learn more about how to modify Panther-managed PyPanther Detections and create your own in the CLI workflow on or in the Panther Console on .
The is open source, and welcomes contributions. Please see for contribution guidelines.
Configure detections fully in Python