Panther Analysis Tool

Overview

Panther Analysis Tool (PAT) is a CLI tool you can use to test, package and upload locally managed detection content (among other actions—view them all on PAT Commands). It's designed for developer-centric Panther workflows, such as managing your detection content programmatically, and integrating with CI/CD pipelines. PAT is open-source—see its GitHub repository here.

If you'd instead prefer to manage detection content in the Panther Console using web application-based workflows, see Detections.

Getting started with PAT

Before you can use PAT to test, package, and upload your detection content, you'll need to install it, set configuration values, and generate an API token for authentication. Learn how to complete each of these steps on Install, Configure, and Authenticate with PAT.

Managing detections with PAT

After you've completed PAT setup, you can start using it to manage your detection content with commands like test, validate, zip, and upload. Explore all you can do with PAT on Panther Analysis Tool Commands.

Writing custom detection content locally

Before you use PAT to upload your custom detection content to your Panther instance, you can need to create it locally. Writing detection content locally means creating files that define it on your own machine.

Learn how to write different types of detection content locally on the following pages:

• Detections

  • Writing Python rules and scheduled rules locally

    • Writing Simple Detections (rules) locally

    • Creating Derived Detections (rules)

  • Writing correlation rules locally

  • Writing policies locally

• Other detection content

  • Writing Saved Searches locally

  • Writing Scheduled Searches locally

  • Using Lookup Tables locally

  • Creating Data Models locally

  • Creating global helpers locally

Customizing Panther-managed detections

You can also use PAT to manage Panther-managed detections you've customized. To manage custom detections, you can privately clone or publicly fork the public panther-analysis GitHub repository. Then, upon tagged releases, you can pull upstream changes.

Learn how to fork or clone the panther-analysis repository on Using the Panther detections repo.

Getting updates of Panther-managed detections

When you want to update your detections with the latest versions from Panther Analysis, run pat update. This will automatically merge the latest version of a detection with your local copy. Any detections with merge conflicts will be printed out and can be resolved with pat merge <id>.

• You can run with the --auto-accept option to pick your changes or Panther's changes automatically for each merge conflict.

• You can run with the --write-merge-conflicts to solve all conflicts all at once instead of one at a time.

• To get updates, the detection must have a BaseVersion field set. If it does not have one yet, use pat migrate <id> to add it.

If you would like to get new content Panther Analysis has released, you can use pat install. You can view what the new content looks like before cloning it with pat explore.

Troubleshooting the Panther Analysis Tool

Visit the Panther Knowledge Base to view articles about the Panther Analysis Tool that answer frequently asked questions and help you resolve common errors and issues.