Using panther-analysis

Overview

panther-analysis is a public, open-source repository of Panther-managed detection content, including detections, Saved Searches, global helpers, Lookup Tables, and more. You can fork or clone panther-analysis, add your own custom detection content, and receive updates as Panther's Threat Intelligence team releases new versions.

To interact with your Panther detections repository on the command line, use the Panther Analysis Tool (PAT).

For general information and best practices for Panther detections, and for information on managing your detections in the Panther Console, see the Detections documentation.

Methods for leveraging panther-analysis

There are two methods you can choose from to create a copy of panther-analysis:

• A public fork

  • When you use a public fork, your detection content will be publicly visible.

  • A public fork can be used to create Pull Requests to bring new detection content to the panther-analysis upstream repo.

• A private clone

  • If you want to keep your detection content private, we recommend using a private cloned repo. With a private cloned repo, the repository settings will control who has access to the content inside the repo.

  • Note that in this configuration, you cannot use a Pull Request to bring changes upstream.

After you have your own copy of panther-analysis, you can configure CI/CD workflows.

Removing deprecated Panther-managed detections

Panther occasionally deprecates and deletes Panther-managed detection content that has become obsolete. This means a new version of panther-analysis no longer contains the detections (or Saved/Scheduled Searches). When this happens, if you'd like to stop using the removed content, you must manually delete it from your Panther instance—simply removing the content from your repository is not enough, since the Panther Analysis Tool (PAT) does not delete content during upload to Panther.

To help you identify and remove deprecated content, Panther provides a Makefile command, make remove-deprecated, which removes deprecated detection content from your Panther instance.

This command works by comparing the content of your repository with deprecated.txt, a file in panther-analysis containing the IDs of all removed items. It's recommended to run make remove-deprecated at least once per month to clear out any deprecated detections from your instance.

Note that make-remove-deprecated requires your API host and token be set as environment variables. See the instructions on configuring PAT with environment variables for more details.