Using panther-analysis
Last updated
Was this helpful?
Last updated
Was this helpful?
is a public, open-source repository of Panther-managed detection content, including detections, Saved Searches, global helpers, Lookup Tables, and more. You can , add your own custom detection content, and receive updates as Panther's Threat Intelligence team releases new versions.
To interact with your Panther detections repository on the command line, use the .
For general information and best practices for Panther detections, and for information on managing your detections in the Panther Console, see the .
There are two methods you can choose from to create a copy of panther-analysis:
When you use a public fork, your detection content will be publicly visible.
A public fork can be used to create Pull Requests to bring new detection content to the .
If you want to keep your detection content private, we recommend using a private cloned repo. With a private cloned repo, the repository settings will control who has access to the content inside the repo.
Note that in this configuration, you cannot use a Pull Request to bring changes upstream.
After you have your own copy of panther-analysis, you can configure .
Panther occasionally deprecates and deletes detection content that has become obsolete. This means a new version of panther-analysis no longer contains the detections (or Saved/Scheduled Searches). When this happens, if you'd like to stop using the removed content, you must manually delete it from your Panther instance—simply removing the content from your repository is not enough, since the does not delete content during upload to Panther.
To help you identify and remove deprecated content, Panther provides a , make remove-deprecated
, which removes deprecated detection content from your Panther instance.
This command works by comparing the content of your repository with , a file in panther-analysis containing the IDs of all removed items. It's recommended to run make remove-deprecated
at least once per month to clear out any deprecated detections from your instance.
Note that make-remove-deprecated
requires your API host and token be set as environment variables. See the instructions on for more details.