CI/CD for Panther Content
Panther customers can automate their detection pipeline, work with custom logs via pantherlog, and improve security with a CI/CD workflow. Learn about other non-web application-based workflows in the Panther Developer Workflows Overview.
For information on web application-based workflows to manage your detections and custom logs directly in the Panther Console, see the Writing and Editing Detections and Custom Logs documentation pages.
To learn how to migrate from Console workflows to CI/CD, see the section below: Migrating to a CI/CD workflow.
Panther's CI/CD documentation walks through setting up a workflow such as the following:
- 1.
- The detections in panther-analysis are broadly applicable, and can be customized to ensure that you are receiving only the alerts that are most important to your organization.
- 2.Pulling updates from panther-analysis to take advantage of new detections and other content updates.
- This process allows you to sync to the upstream panther-analysis repository in order to receive new detections and other detection content updates.
- See Public fork or Private cloned repo for instructions, depending on your organization's chosen method.
- 3.Adapting the detections to fit within your CI/CD workflow and uploading them to your Panther Console.
- See Deployment workflows using Panther Analysis Tool for instructions on using PAT and managing Panther content via CircleCI or GitHub Actions.
If you are migrating from managing detections in the Panther Console to managing them via a CI/CD workflow, follow the process below.
- 1.Log in to the Panther Console.
- 2.Navigate to Build > Detections.
- 3.Click Filters in the upper right. Filter for Created by: then select Created by team.
- 4.Download each page of detections.
- 1.Check the bulk select box in the upper left corner of the list.
- 2.In the upper right side of the list, click the "Mass Action" dropdown menu, click Download, then click Apply.
The detections will be downloaded in a zip that you can now incorporate into your source control.
To ensure that you only manage detections via CI/CD, we recommend you enable the Developer Workflow option and mark your users as read-only in the Panther Console:
To prevent Panther detection Packs from being enabled from the Console, you can self-declare as a developer workflow account:
- 1.In the Panther Console, navigate to Settings > General.
- 2.Click Developer Workflow.
- 3.Toggle the option to ON to disallow Panther Detection Packs from being enabled in the Console.
To prevent users from making edits in the Panther Console that may conflict with your source control, mark them as read-only:
- 1.In the Panther Console, navigate to Settings > Users.
- 2.In the user list, locate your developers who are using a CI/CD workflow.
- 3.Click ... on the right side of a user tile. In the dropdown menu that appears, click Edit.
- 4.Change the user's role to Read Only.
- 5.Click Update.
- 6.Repeat these steps for each developer who is using a CI/CD workflow.