AI Detection Builder (Beta)
Describe the rule you'd like to create in plain language
Overview
AI Detection Builder is a Panther AI-powered assistant that helps you create and modify rules and scheduled rules directly within the Panther Console. It provides intelligent suggestions, generates detection code, and allows you to review and apply changes.
The AI Detection Builder is available in the rule and scheduled rule editors in the Panther Console—accessible in the Configure tab via the AI Detection Builder button.
How AI Detection Builder works
The AI Detection Builder operates as a conversational AI assistant embedded in the rule editor. When you open the AI Detection Builder panel, you can:
Create new detections by describing what you want to detect
Ask questions about detection logic and get explanations of detection code
Modify existing detections. For example:
"Add a dedup function based on the user's IP address"
"Make this detection more specific to production environments"
Add or improve test cases
Using the AI Detection Builder
Opening the AI Detection Builder
In the left-hand navigation bar of your Panther Console, click Detections.
Click Create New.
On the Python Rule or Scheduled Rule tile, click Start.
On the right-hand side of the Configure tab, click AI Detection Builder.
The panel opens on the right side of the screen:
Creating a new detection with the AI Detection Builder
After opening the AI Detection builder, in the text field, enter your prompt.
Click the arrow (Submit).
Review the generated detection, including detection code (the
rule()function and any helper functions), metadata (ID, display name, description, severity), associated log types, and test cases.If necessary, enter a follow-up prompt to make further changes.
Once the results meet your requirements, click Accept Changes.
The changes you accepted, including detection logic, metadata, and test cases, will be populated in the main detection editor form. In the upper-right corner, click Deploy.
Modifying an existing detection with the AI Detection Builder
To edit an existing rule with the AI Detection Builder:
In the left-hand navigation bar of your Panther Console, click Detections.
In the detection list, click the name of the detection you'd like to update.
On the right-hand side, click AI Detection Builder.
Click one of the suggested prompts (e.g., "Add 3 test cases covering different scenarios") or enter your own request (e.g., "Add a title function that includes the affected resource name").
Review the proposed changes, and enter a follow-up prompt, if necessary. Once the results meet your requirements, click Accept Changes.
Click Deploy.
Reviewing proposed changes
When the AI Detection Builder suggests changes to your detection, a review card appears, showing:
Detection metadata: The detection's name, ID, severity, log types (or scheduled queries), deduplication period, threshold, and number of test cases.
Proposed code changes: A diff view highlighting additions (in green) and removals (in red) to the detection code.
To apply the changes, click Accept Changes to update the detection. The changes are applied to the detection form but are not saved until you click Deploy.
To undo accepted changes and restore the detection to its previous state, click Revert.
Starting a new conversation with the AI Detection Builder
To clear the current conversation and start a new thread:
In the upper-right corner of the AI Detection Builder panel, click the + (New Conversation) icon.
The conversation resets, and you can begin a new interaction.
Best practices when using the AI Detection Builder
Be specific in your prompts: The more detail you provide about what you'd like to detect, the better the AI's suggestions will be.
Review changes carefully: Always review the proposed code changes before accepting them, especially for production detections.
Test before deploying: After accepting changes, use the test functionality to validate the detection works as expected.
Iterate as needed: You can continue the conversation to refine the detection further after accepting initial changes.
Limitations of the AI Detection Builder
The AI Detection Builder is currently only available when creating/editing custom rules and scheduled rules—i.e., it's not possible to use the AI Detection Builder to interact with other detections types, like policies and correlation rules.
Last updated
Was this helpful?