Public fork
One method you can use to leverage Panther-managed Python detections within your CI/CD workflow is to create a public fork of panther-analysis.
For organizations who want to share their detection content publicly or want to bring content upstream into panther-labs/panther-analysis, a public fork is the right choice.
For information on creating a private clone of the repo, see Private cloned repo.
It's recommended to pull upstream changes from panther-analysis when there is a new tagged release. You can also pull from the main branch. No other branches should be considered stable.
Configuring a public fork of panther-analysis
This process will create a public fork of the panther-analysis
repository in your organization. This will serve as your working copy of panther-analysis
, and any changes required by your organization can be made here and will undergo any configured CI checks that you define.
For reference, see GitHub's complete instructions on forking a repo here.
In the upper right corner of the repository’s main page click Fork.
On the Create a new fork page:
Click Create fork.
Navigate to the Settings page of your forked repository.
Within Default branch, click the pencil icon to edit the default branch.
Click Update.
(Optional) Unzip any of your custom detections into the same directory as your forked version of
panther-analysis
.
Keeping in sync with upstream
We recommend that you leverage our included sync-panther-analysis-from-upstream GitHub Action to stay in sync with upstream:
Log in to your GitHub account and navigate to your repository.
In the horizontal menu bar, click Actions, then click the
sync-panther-analysis-from-upstream
action.Click Run Workflow > Run workflow.
Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.”
Note: The
sync-panther-analysis-from-upstream
action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of .github/workflows/sync-from-upstream.yml.
Merge the pull request into your primary branch, as you would with a normal pull request.
Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories.
If you run into issues with merge conflicts or see an error that states "all jobs have failed," please see this troubleshooting article: How do I resolve merge conflicts and failed syncs when using the GitHub Action sync-panther-analysis-from-upstream?
Manual updates
Alternatively, you can manually update the fork. Please see GitHub's documentation to learn more about the process of manually updating the fork from its source, in this case panther-labs/panther-analysis.
It is recommended to always using the "compare" option detailed in these documents to ensure you are pulling in changes that make sense for your organization. This will display the updates as a Pull Request, and changes and comments can be made.
Next steps
After you fork the repo, you can integrate Panther detections into your CI/CD workflow. Panther offers documentation for CircleCI and GitHub Actions.
GitHub Actions
You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo.
See Managing Content via GitHub Actions for more information.
Customer contributed content
Customers are encouraged to contribute content back upstream to panther-analysis. If you’d like to do so, you can create a Pull Request against the panther-analysis repository. One of our detection engineers will happily review and merge it!
Last updated