Managing PyPanther Detections in the Panther Console

Overview

You can manage PyPanther Detections in the Panther Console in addition to the CLI workflow.

Managing PyPanther Detections in both the CLI workflow and Panther Console

It's possible to manage PyPanther Detections using both the CLI workflow and the Panther Console. When doing so, take note of the following interactions:

• You may not create a detection in the Console or the CLI workflow with the same id as a detection already created in either the Console or CLI workflow.

• If you create a detection in the CLI workflow, edit it in the Console, then upload it again in the CLI workflow, the edits you made in the Console will be overwritten.

Limitations of Console workflows for PyPanther Detections

• It's not possible to make overrides on Panther-managed (or custom) detections through the Panther console.

  • In addition to not being able to make overrides on a Panther-managed rule, it's not possible to enable a Panther-managed PyPanther rule as-is in the Console (as you can in the v1 model using Detection Packs).

• If you make overrides on a Panther-managed detection in the CLI workflow, upload it, and are viewing it in the Panther Console, your overrides will not be visible (i.e., it will appear as the "plain" Panther-managed version).

• It's not possible to delete a PyPanther Detection in the Console that was uploaded through the CLI workflow.

• It's not possible to view or edit the main.py file as you can in the CLI workflow, which means:

  • It's not possible to configure overrides on multiple PyPanther Detections at once.

Creating a custom PyPanther Detection in the Console

To create a custom PyPanther Detection in the Console:

1. In the left-hand navigation bar of your Panther Console, click Detections.

2. Click Create New.

3. On the PyPanther Rule tile, click Start.

4. At the top of the page, in the Name field, enter a name for your detection.

5. In the Python code editor in the Detection section, configure your rule.

   • Learn more about PyPanther Detection composition in Writing a custom PyPanther Detection, and see the Rule property reference for a full list of required and optional fields.

   • If you'd like to create a detection that inherits from another detection, you can edit (Rule) in class CustomRuleName(Rule).

6. If you added tests to your detection, click Run Tests to verify they all pass.

7. Click Deploy.

Editing a PyPanther Detection in the Console

In the Panther Console, you can edit PyPanther Detections that were created in either the Console or uploaded using the CLI workflow (except for Panther-managed detections, which are read-only—even if you've made your own overrides on them in the CLI workflow).

To edit a PyPanther Detection in the Console:

1. In the left-hand navigation bar of your Panther Console, click Detections.

2. From the list of detections, click the name of the detection you're like to edit.

3. Make any desired updates to the detection in the Detection code editor.

   • To update the detection's display name, edit the value of the display_name attribute in the code editor.

   • Learn more about PyPanther Detection composition in Writing a custom PyPanther Detection, and see the Rule property reference for a full list of required and optional fields.

4. If you added tests to your detection, click Run Tests to verify they all pass.

5. Click Deploy.

Deleting a PyPanther Detection in the Console

In the Console, it is currently only possible to delete detections that were created in the Console. Rules uploaded in the CLI workflow can only deleted in the CLI workflow.

To delete a PyPanther Detection in the Console:

1. In the left-hand navigation bar of your Panther Console, click Detections.

2. From the list of detections, click the name of the detection you're like to delete.

3. In the upper-right corner, click on the three dots icon (...).

4. Click Delete.