Panther Analysis Tool Overview

Using Panther Analysis Tool to test and upload locally managed detections

Overview

Panther Analysis Tool (PAT) is a CLI tool you can use to test, package and upload locally managed detections (among other actions—view them all on PAT Commands). It's designed for developer-centric Panther workflows, such as managing your detections programmatically, and integrating with CI/CD pipelines. PAT is open source; see its GitHub repository here.

If you'd instead prefer to manage detection content in the Panther Console using web application-based workflows, see Detections.

Getting started with PAT

Before you can use PAT to test, package, and upload your detection content, you'll need to install it, set configuration values, and generate an API token for authentication. Learn how to complete each of these steps on Install, Configure, and Authenticate with PAT.

Managing detections with PAT

After you've completed PAT setup, you can start using it to manage your detection content with popular commands like test, validate, zip, and upload. Explore all you can do with PAT on Panther Analysis Tool Commands.

Writing detections locally

Before you use PAT to upload your detections to your Panther instance, you'll need to write detections locally. Writing detections locally means creating Python and metadata files that define a Panther detection on your own machine.

Learn how to write different types of detection content locally on the following pages:

Customizing Panther-managed detections

You can also use PAT to manage Panther-managed detections you've customized. To manage custom detections, you can privately clone or publicly fork the public panther-analysis GitHub repository. Then, upon tagged releases, you can pull upstream changes.

Learn how to fork or clone the panther-analysis repository on Using the Panther detections repo.

Getting updates of Panther-managed detections

It's recommended to pull upstream changes from panther-analysis when there is a new tagged release. You can also pull from the main branch. No other branches should be considered stable.

When you want to pull in the latest changes from the panther-analysis repository, perform the following steps from your private repo:

# add the public repository as a remote
git remote add panther-upstream [email protected]:panther-labs/panther-analysis.git

# Pull in the latest changes
# Note: You may need to use the `--allow-unrelated-histories`
#       flag if you did not maintain the history originally
git pull panther-upstream main

# Push the latest changes up to your forked repo and merge them
git push

Troubleshooting the Panther Analysis Tool

Visit the Panther Knowledge Base to view articles about the Panther Analysis Tool that answer frequently asked questions and help you resolve common errors and issues.

Last updated