Panther Universal Detections, groups all the rules that rely on Data Models and all of their dependencies.
panther-analysisrepository, the Packs page in your Panther Console under Detections > Packs will display an Update available flag next to the relevant items.
MANAGED, and detections that are not part of a Detection Pack will be labeled as
panther-analysisrepository. These updates are automatically detected by Panther, and the pack overview page will show an Update Available flag next to relevant packs.
_COPYappended to it.
panther-analysis-all.zip(and a corresponding
panther-analysis-all.sigif you are signing your release)
panther_analysis_tool(PAT) to generate the required release assets, as well as publish a draft release (see Creating a Github Release - Panther Analysis Tool for additional details.) You can manage custom packs using the same functionality as Panther-provided packs.
panther-analysis-all.ziprelease artifact can contain many different Pack Manifests along with other files from your repository such as detections, global helpers, data models, etc. If you add your GitHub repository as a Pack Source in the Panther Console, then each of these Pack Manifest files will show up as a Pack in the Panther Console that can be separately enabled/disabled.
IDswhich is a list of strings. Each string in the
IDslist should be a unique ID of a file that is included in this Pack
panther-analysis.sig. This ensures that any detections being imported have not been tampered or modified. If you would like to use similar functionality, create a sign/verify KMS key and modify the policy to allow Panther to run
kms:Verifyusing that key.
AccessTokenfields for a pack source:
...next to a Pack Source then click Edit. Click on a Pack Source.
...next to a Pack Source then click Delete.
panther_analysis_tool(PAT) can streamline the process of creating an appropriate Github release, with or without an associated signature file.
GITHUB_TOKENenvironment variable to a personal access token with appropriate permissions to access the target repository. Then, use the