CI/CD for Panther Content

Panther customers can automate their detection pipeline, work with custom logs via pantherlog, and improve security with a CI/CD workflow. Learn about other non-web application-based workflows in the Panther Developer Workflows Overview.
For information on web application-based workflows to manage your detections and custom logs directly in the Panther Console, see the Writing and Editing Detections and Custom Logs documentation pages.
To learn how to migrate from Console workflows to CI/CD, see the section below: Migrating to a CI/CD workflow.
Panther's CI/CD documentation walks through setting up a workflow such as the following:
  1. 1.
    Forking or cloning the panther-analysis repo to leverage Panther-managed Python detections.
    Currently, only Python Panther-managed detections are available for you to clone, modify, and upload. YAML Panther-managed detections are planned for a future release.
    • The Python detections in panther-analysis are broadly applicable, and can be customized to ensure that you are receiving only the alerts that are most important to your organization.
    • See Using the Panther detections repo for instructions.
  2. 2.
    Pulling updates from panther-analysis to take advantage of new Python detections and other content updates.
    • This process allows you to sync to the upstream panther-analysis repository in order to receive new Python detections and other detection content updates.
    • See Public fork or Private cloned repo for instructions, depending on your organization's chosen method.
  3. 3.
    Adapting the detections to fit within your CI/CD workflow and uploading them to your Panther Console.

Migrating to a CI/CD workflow

If you are transitioning from managing detections in the Panther Console to managing them via a CI/CD workflow, and you have not yet cloned or forked the panther-analysis repo, follow the process below:
Step 1: Download content created in the Console
CI/CD overwrites anything included on upload, which includes rules, policies, global helpers, and data models. If you have created your own copy of Panther-managed enrichment provider helpers, global helpers or data models, you will need to download these as well.
There are two options available: Bulk-download all entities at once, or download entities individually.

Option 1: Bulk-download all entities.

When you use this option, you can download all detections, global helpers, saved queries, and data models from your Panther Console. Note that this download will include everything that is enabled (including Panther standard rules) and outputs every file under one folder. You will need to move files to the proper repo structure.
  1. 1.
    In the Panther Console, navigate to Build > Bulk Uploader.
  2. 2.
    In the upper right corner, click Download all entities.

Option 2: Download entities separately

Download detections

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Build > Detections.
  2. 2.
    Click Filters in the upper-right. Filter for Created by: then select Created by team.
  3. 3.
    Click Apply Filters.
  4. 4.
    Download each page of detections.
    1. 1.
      Check the bulk Select All box in the upper-left corner of the list.
    2. 2.
      At the top of the list, click Download.
The detections will be downloaded in a zip that you can incorporate into your version control system.

Download helpers

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Build > Helpers.
  2. 2.
    On the right side of a helper tile, click ... then click Download.
  3. 3.
    Repeat for each separate helper.

Download data models

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Build > Data Models.
  2. 2.
    On the right side of a data model tile, click ... then click Download.
  3. 3.
    Repeat for each separate data model.
Step 2: Enable the Developer Workflow option
To ensure that you only manage detections via CI/CD, we recommend you enable the Developer Workflow option and mark your users as read-only in the Panther Console:
To prevent Panther detection Packs from being enabled from the Console, you can self-declare as a developer workflow account:
  1. 1.
    In the Panther Console, navigate to Settings > General.
  2. 2.
    Click Developer Workflow.
  3. 3.
    Toggle the option to ON to disallow Panther Detection Packs from being enabled in the Console.
    Under the "Developer Workflows" tab, there is an option called "We use the Panther Analysis Tool to manage our detections." There is a toggle switch next to it, which is enabled.
Step 3: Mark users as read-only
To prevent users from making edits in the Panther Console that may conflict with your source control, mark them as read-only:
  1. 1.
    In the Panther Console, navigate to Settings > Users.
  2. 2.
    In the user list, locate your developers who are using a CI/CD workflow.
  3. 3.
    Click ... on the right side of a user tile. In the dropdown menu that appears, click Edit.
  4. 4.
    Change the user's role to Read Only.
  5. 5.
    Click Update.
  6. 6.
    Repeat these steps for each developer who is using a CI/CD workflow.
If you have cloned the panther-analysis repo to use CI/CD, and you are simultaneously using Packs in the Panther Console, please follow this KB article to transition to a CI/CD-only workflow. Panther does not support using both a CI/CD workflow and a manual workflow in the Panther Console at the same time.