Links

CI/CD for Panther Content

Panther customers can automate their detection pipeline and improve security with a CI/CD workflow. Learn about other non-UI based workflows in the Panther Developer Workflows Overview.
For information on UI-based workflows to manage your detections directly in the Panther Console, see the Writing Detections documentation.
To learn how to migrate from Console workflows to CI/CD, see the section below: Migrating to a CI/CD workflow.
Panther's CI/CD documentation walks through setting up a workflow such as the following:
  1. 1.
    Forking or cloning the panther-analysis repo to leverage Panther-managed detections.
    • The detections in panther-analysis are broadly applicable, and can be customized to ensure that you are receiving only the alerts that are most important to your organization.
    • See Using the Panther detections repo for instructions.
  2. 2.
    Pulling updates from panther-analysis to take advantage of new detections and other content updates.
    • This process allows you to sync to the upstream panther-analysis repository in order to receive new detections and other detection content updates.
    • See Public fork or Private cloned repo for instructions, depending on your organization's chosen method.
  3. 3.
    Adapting the detections to fit within your CI/CD workflow and uploading them to your Panther Console.

Migrating to a CI/CD workflow

If you are migrating from managing detections in the Panther Console to managing them via a CI/CD workflow, follow the process below.
  1. 1.
    Log in to the Panther Console.
  2. 2.
    Navigate to Build > Detections.
  3. 3.
    Click Filters in the upper right. Filter for Created by: then select Created by team.
  4. 4.
    Download each page of detections.
    1. 1.
      Check the bulk select box in the upper left corner of the list.
    2. 2.
      In the upper right side of the list, click the "Mass Action" dropdown menu, click Download, then click Apply.
The detections will be downloaded in a zip that you can now incorporate into your source control.
To ensure that you only manage detections via CI/CD, we recommend you enable the Developer Workflow option and mark your users as read-only in the Panther Console:
To prevent Panther detection Packs from being enabled from the Console, you can self-declare as a developer workflow account:
  1. 1.
    In the Panther Console, navigate to Settings > General.
  2. 2.
    Click Developer Workflow.
  3. 3.
    Toggle the option to ON to disallow Panther Detection Packs from being enabled in the Console.
    Under the "Developer Workflows" tab, there is an option called "We use the Panther Analysis Tool to manage our detections." There is a toggle switch next to it, which is enabled.
To prevent users from making edits in the Panther Console that may conflict with your source control, mark them as read-only:
  1. 1.
    In the Panther Console, navigate to Settings > Users.
  2. 2.
    In the user list, locate your developers who are using a CI/CD workflow.
  3. 3.
    Click ... on the right side of a user tile. In the dropdown menu that appears, click Edit.
  4. 4.
    Change the user's role to Read Only.
  5. 5.
    Click Update.
  6. 6.
    Repeat these steps for each developer who is using a CI/CD workflow.