PyPanther Detections (Beta)
Configure detections fully in Python
Last updated
Was this helpful?
Configure detections fully in Python
Last updated
Was this helpful?
PyPanther Detections are Panther’s evolved approach to detections-as-code. In this framework, detections are defined fully in Python, enabling component reusability and simple rule overrides. The foundation of PyPanther Detections is the open-source pypanther
Python library.
Learn about PyPanther key features, benefits, and differences from the v1 detection format on this page—then, start creating PyPanther Detections in the CLI workflow or the Panther Console.
An entirely Python-native experience for importing, writing, modifying, testing, and uploading rules—eliminating the need to manage a fork or clone of panther-analysis.
The ability to apply custom configurations to Panther-managed rules through , , and .
The ability to selectively choose the set of rules you want to include in your Panther deployment package.
PyPanther Detections have the following benefits:
No upstream merge conflicts: Working in the CLI workflow in the v1 model, merge conflicts can arise when syncing your customized fork of panther-analysis
with the upstream repository. In PyPanther, Panther-managed rules exist separately from your rule configurations, eliminating the possibility of merge conflicts.
Full flexibility and composability: PyPanther offers complete flexibility in rule creation, enabling full modularity, composability, the ability to override any rule attribute, and full Python inheritance—all providing a customizable and user-centric experience.
First-class developer experience: Backed by a portable, open-source Python library, pypanther
, this framework provides a superior local development experience by hooking into native applications and developer workflows. This library can also be loaded into any Python environment, such as Jupyter Notebooks.
PyPanther Detections differ from v1 detections in the following areas:
Process for retrieving Panther-managed detections: In v1 detections, you must periodically sync your copy of panther-analysis
with upstream changes. With PyPanther Detections, no Git syncing is required—the latest Panther-managed content is always available in the pypanther
Python library.
The same detection, Box.New.Login
is defined below in both versions:
While PyPanther Detections are evolving rapidly, they currently have the following limitations:
(Planned) It’s not possible to define new custom Lookup Tables.
It is possible to reference data from existing custom Lookup Tables, as well as Panther-managed Enrichment Providers.
(Planned) No support for Policies, Scheduled Rules, Simple Rules, Correlation Rules.
Only rules (or “real-time rules”) are supported in the PyPanther framework.
(Planned) It’s not possible to use Data Replay in the CLI or Console workflows.
(Planned) It’s not possible to define your own data models.
Library version pinning and declaring custom dependencies from the repository are not supported.
The CLI tool used with PyPanther Detections, pypanther
, does not have all of the commands panther_analysis_tool
does.
See a list of available pypanther
commands on Using the pypanther CLI Tool.
See the pypanther-starter-kit repository, containing PyPanther Detection examples, which you can clone to quickly get up and running. Get started by following the setup instructions in the repository's README.
Learn more about how to modify Panther-managed PyPanther Detections and create your own in the CLI workflow on Creating PyPanther Detections or in the Panther Console on Managing PyPanther Detections in the Panther Console.
The pypanther
library is open source, and welcomes contributions. Please see CONTRIBUTING.md for contribution guidelines.
File structure: Working in the CLI workflow, a rule in the v1 framework requires two files: a Python file to define rule logic and and a YAML file to set metadata. A PyPanther rule is written entirely in a single Python class containing all functions, properties, and helpers.
Packs: Panther-managed v1 detections are bundled in Detection Packs. With PyPanther Detections, you can choose which detections you want to include in your Panther instance using (or direct imports) with .
It is possible to reference in the pypanther
library, using event.udm()
.
There are additional limitations on the functionality of the upload
command. See the .
There are additional limitations when managing PyPanther Detections in the Panther Console. See the .