Panther Config SDK (Beta)
Create, save, and reuse Python across your detections and prevent merge conflicts using Panther Config SDK
Panther Config SDK is in closed Beta as of version 1.43. Please share any bug reports and feature requests with your account team. During the closed beta, you will have the ability to create and edit example detections locally. The ability to upload detections via Panther Analysis Tool (PAT) will be available in an upcoming release.

Overview

Leveraging the Panther Config SDK, you can create, save, and reuse Python across your detections and modify Panther detections.
The Panther Config SDK provides Python typing, autocomplete, and is optimized for efficient coding. We run our content through mypy to ensure there are no validation issues, and as a best practice, we encourage you to do the same. The Panther Config SDK works natively with your IDE, enabling you to command + click to see the underlying Panther content.
Unlike the typical workflow with classic detections provided through Panther Analysis, your content will be managed separately from Panther’s – allowing you to stay up to date without running into future merge conflicts.
Note that we will continue to support the existing classic method of defining detections.

Install and configure Panther Config SDK

For installation instructions and to view all the available fields and options in the Panther Config SDK, visit the pypi page for the Panther Config SDK project.

How to compose detections using Panther Config SDK

Set up a new repo

  1. 1.
    Clone the Panther content repo: git clone [email protected]:panther-labs/panther-content-template.git my-panther-content cd my-panther-content
  2. 2.
    Initialize the repo. This will remove the existing git data, delete CODEOWNERS and start a new git repository: make init
  3. 3.
    Optionally, start a docker shell to run Python 3.9. If docker is not available or you prefer to run on your host operating system, you can skip this step. Pleasure ensure your machine has a proper Python 3.9 environment with pip installed. make shell
  4. 4.
    Run the install command to bootstrap the repository's dependencies. If you are running in docker, there may be warnings about running as a root user. These can be ignored. You can confirm this was successful by running the tests. make install make test

How to write content

Visit the Panther Content Repo in Github for templates for content modules.
Use the Python module structure below to guide you in writing your detection. The detections you write with this method will always start with panther_config. The library of data classes in Python represents various entities you can have in your Panther instance.
.
├── panther_content/
│ ├── __main__.py # module entry point
│ ├── filters/ # reusable filters for use in Panther Rules, Policies and Scheduled Rules
│ ├── rules/ # Panther Rule content
│ └── queries/ # Panther Saved/Scheduled Query content
├── tests/ # directory structure mirroring "panther_content" that includes unit tests.
├── Makefile # sample Makefile provided with lint, format and testing targets
├── mypy.ini # recommened mypy configuration for python type checking
├── requirements.txt # PIP requirements file
└── .github # example automation pipeline using GitHub Actions
detection is the name of the module you can use to create a detection. After you define your detection and upload the content, the detection will be created. In other words, each detection.Rule() will create a rule in the backend.
from panther_config import detection, query
from panther_utils import match_filters
detection.Rule(
rule_id="Content.Example.AWS.ALB.SSH.Incoming",
name="[Example] AWS ALB Incoming SSH",
severity=detection.SeverityInfo,
log_types=["AWS.ALB"],
filters=[match_filters.deep_equal("targetPort", 22)],
)
query.Query(
name="Example Query",
sql="SELECT 1;",
enabled=enabled,
schedule=None,
description="Selects the number 1",
tags=["example"],
)
You can compose a pipeline of one or more filters that make up your detection. To reuse those filters, define them using the dataclass PythonFilter to associate them with various detections.
from panther_config import detection, PantherEvent
# method to be shared
def always_true(event: PantherEvent):
return True
detection.Rule(
name="Minimal Rule One",
rule_id="Rule.One",
log_types=["log-type01"],
enabled=True,
severity=detection.SeverityInfo,
filters=[
detection.PythonFilter(func=always_true),
],
)
detection.Rule(
name="Minimal Rule Two",
rule_id="Rule.Two",
log_types=["log-type02"],
enabled=True,
severity=detection.SeverityInfo,
filters=[
detection.PythonFilter(func=always_true),
],
)

How to leverage Panther-provided content

Panther provides two main types of content:
  • Commonly used utilities
  • Detection content

Commonly used utilities

To make use of the Panther-provided utilities in panther-utils - which includes things such as deep_equal as well as some commonly used tags in detection content - add it to your Python requirements and import as you would any other Python library.
from panther_config import detection
# import panther_utils as usual
from panther_utils import match_filters
detection.Rule(
rule_id="Content.Example.AWS.ALB.SSH.Incoming",
name="[Example] AWS ALB Incoming SSH",
severity=detection.SeverityInfo,
log_types=["AWS.ALB"],
# using the deep_equal helper in the filter defintion
filters=[match_filters.deep_equal("targetPort", 22)],
)

Detection content

To make use of Panther-provided content, import the specific detection content against a log type (for example, the panther_okta content). You can quickly import all the content from Panther by using a helper:
import panther_okta as okta
okta.use_all_with_defaults()
You can define filters, such as overrides or allowlists, that are specific to your organization and make the resulting detection more useful.
Here is an example showing how to override certain defaults in the panther_okta content:
from panther_config import detection
from panther_utils import match_filters
import panther_okta as okta
okta.rules.account_support_access(
# optionally, provide overrides
overrides=detection.RuleOptions(
# override the default "reference"
reference="<https://security-wiki.megacorp.internal/okta-incident-response>",
),
# optionally, provide pre-filters to be added to the defaults
pre_filters=[
match_filters.deep_equal("version", "0"),
]
)

Uploading detection content

How to upload the detection content

This is not currently supported in the closed beta but will be available soon. In an upcoming version, you will be able to upload your detections using the Panther Analysis Tool (PAT) with the panther_analysis_tool upload command.
In the future after you’ve merged your detection code into your repository’s main branch and uploaded using the panther_analysis_tool, you’ll be able to reference them in the Panther Console.

How to convert an existing detection to the new format

This is not currently supported but will be included in an upcoming release.
Copy link
On this page
Overview
Install and configure Panther Config SDK
How to compose detections using Panther Config SDK
Set up a new repo
How to write content
How to leverage Panther-provided content
Uploading detection content
How to upload the detection content
How to convert an existing detection to the new format