Panther Analysis Tool

Using Panther Analysis Tool to test and upload locally managed detections

Overview

Panther Analysis Tool (PAT) is a CLI tool you can use to test, package and upload locally managed detection content (among other actions—view them all on PAT Commands). It's designed for developer-centric Panther workflows, such as managing your detection content programmatically, and integrating with CI/CD pipelines. PAT is open-source—see its GitHub repository here.

If you'd instead prefer to manage detection content in the Panther Console using web application-based workflows, see Detections.

Getting started with PAT

Before you can use PAT to test, package, and upload your detection content, you'll need to install it, set configuration values, and generate an API token for authentication. Learn how to complete each of these steps on Install, Configure, and Authenticate with PAT.

Managing detections with PAT

After you've completed PAT setup, you can start using it to manage your detection content with commands like test, validate, zip, and upload. Explore all you can do with PAT on Panther Analysis Tool Commands.

Writing custom detection content locally

Before you use PAT to upload your custom detection content to your Panther instance, you can need to create it locally. Writing detection content locally means creating files that define it on your own machine.

Learn how to write different types of detection content locally on the following pages:

Customizing Panther-managed detections

You can also use PAT to manage Panther-managed detections you've customized. To manage custom detections, you can privately clone or publicly fork the public panther-analysis GitHub repository. Then, upon tagged releases, you can pull upstream changes.

Learn how to fork or clone the panther-analysis repository on Using the Panther detections repo.

Getting updates of Panther-managed detections

It's recommended to pull upstream changes from panther-analysis when there is a new tagged release. You can also pull from the main branch. No other branches should be considered stable.

When you want to pull in the latest changes from the panther-analysis repository, perform the following steps from your private repo:

# add the public repository as a remote
git remote add panther-upstream [email protected]:panther-labs/panther-analysis.git

# Pull in the latest changes
# Note: You may need to use the `--allow-unrelated-histories`
#       flag if you did not maintain the history originally
git pull panther-upstream main

# Push the latest changes up to your forked repo and merge them
git push

Troubleshooting the Panther Analysis Tool

Visit the Panther Knowledge Base to view articles about the Panther Analysis Tool that answer frequently asked questions and help you resolve common errors and issues.

PreviousPrivate Clone NextInstall, Configure, and Authenticate with the Panther Analysis Tool

Last updated 9 days ago

Was this helpful?

hashtagOverview

hashtagGetting started with PAT

hashtagManaging detections with PAT

hashtagWriting custom detection content locally

hashtagCustomizing Panther-managed detections

hashtagGetting updates of Panther-managed detections

hashtagTroubleshooting the Panther Analysis Tool