CI/CD for Panther Content
Panther's CI/CD documentation walks through setting up a workflow such as the following:
- 1.Forking or cloning the panther-analysis repo to leverage Panther-managed detections.
- The detections in panther-analysis are broadly applicable, and can be customized to ensure that you are receiving only the alerts that are most important to your organization.
- 2.Pulling updates from panther-analysis to take advantage of new detections and other content updates.
- 3.Adapting the detections to fit within your CI/CD workflow and uploading them to your Panther Console.
If you are migrating from managing detections in the Panther Console to managing them via a CI/CD workflow, follow the process below.
- 1.Log in to the Panther Console.
- 2.Navigate to Build > Detections.
- 3.Click Filters in the upper right. Filter for Created by: then select Created by team.
- 4.Download each page of detections.
- 1.Check the bulk select box in the upper left corner of the list.
- 2.In the upper right side of the list, click the "Mass Action" dropdown menu, click Download, then click Apply.
The detections will be downloaded in a zip that you can now incorporate into your source control.
To ensure that you only manage detections via CI/CD, we recommend you enable the Developer Workflow option and mark your users as read-only in the Panther Console:
To prevent Panther detection Packs from being enabled from the Console, you can self-declare as a developer workflow account:
- 1.In the Panther Console, navigate to Settings > General.
- 2.Click Developer Workflow.
- 3.Toggle the option to ON to disallow Panther Detection Packs from being enabled in the Console.
To prevent users from making edits in the Panther Console that may conflict with your source control, mark them as read-only:
- 1.In the Panther Console, navigate to Settings > Users.
- 2.In the user list, locate your developers who are using a CI/CD workflow.
- 3.Click ... on the right side of a user tile. In the dropdown menu that appears, click Edit.
- 4.Change the user's role to Read Only.
- 5.Click Update.
- 6.Repeat these steps for each developer who is using a CI/CD workflow.