panther-labs/panther-analysis
.Panther Universal Detections
, groups all the rules that rely on Data Models and all of their dependencies.panther-analysis
repository, the Packs page in your Panther Console under Detections > Packs will display an Update available flag next to the relevant items.MANAGED
, and detections that are not part of a Detection Pack will be labeled as UNMANAGED
.panther-analysis
repository. These updates are automatically detected by Panther, and the pack overview page will show an Update Available flag next to relevant packs._COPY
appended to it.panther-analysis-all.zip
(and a corresponding panther-analysis-all.sig
if you are signing your release) panther-analysis-all.zip
contains at least one Pack Manifest file (see section on Pack Manifests below for more information)panther_analysis_tool
(PAT) to generate the required release assets, as well as publish a draft release (see Creating a Github Release - Panther Analysis Tool for additional details.) You can manage custom packs using the same functionality as Panther-provided packs.Owner
Repository
kmsKey
AccessToken
panther-analysis-all.zip
release artifact can contain many different Pack Manifests along with other files from your repository such as detections, global helpers, data models, etc. If you add your GitHub repository as a Pack Source in the Panther Console, then each of these Pack Manifest files will show up as a Pack in the Panther Console that can be separately enabled/disabled.pack
IDs
which is a list of strings. Each string in the IDs
list should be a unique ID of a file that is included in this Packpanther-analysis.sig
. This ensures that any detections being imported have not been tampered or modified. If you would like to use similar functionality, create a sign/verify KMS key and modify the policy to allow Panther to run kms:Verify
using that key.kmsKey
or AccessToken
fields for a pack source:...
next to a Pack Source then click Edit. Click on a Pack Source. ...
next to a Pack Source then click Delete.panther_analysis_tool
(PAT) can streamline the process of creating an appropriate Github release, with or without an associated signature file.release
command.GITHUB_TOKEN
environment variable to a personal access token with appropriate permissions to access the target repository. Then, use the publish
command.panther_analysis_tool publish
command creates a draft release. Before Panther is able to pull in this release artifact, you must go to your Github repository and manually finalize the draft into a release.kms-key
argument is an optional argument that you can use to generate a signature file. If you want to use this argument, be sure to run panther_analysis_tool using the appropriate aws credentials to call kms:Sign
on the specified key.