Panther Analysis Tool

Overview

Panther Analysis Tool (PAT) is a CLI tool you can use to test, package and upload locally managed detection content (among other actions—view them all on PAT Commands). It's designed for developer-centric Panther workflows, such as managing your detection content programmatically, and integrating with CI/CD pipelines. PAT is open-source—see its GitHub repository here.

If you'd instead prefer to manage detection content in the Panther Console using web application-based workflows, see Detections.

Getting started with PAT

Before you can use PAT to test, package, and upload your detection content, you'll need to install it, set configuration values, and generate an API token for authentication. Learn how to complete each of these steps on Install, Configure, and Authenticate with PAT.

Managing detections with PAT

After you've completed PAT setup, you can start using it to manage your detection content with commands like test, validate, zip, and upload. Explore all you can do with PAT on Panther Analysis Tool Commands.

Writing custom detection content locally

Before you use PAT to upload your custom detection content to your Panther instance, you can need to create it locally. Writing detection content locally means creating files that define it on your own machine.

Learn how to write different types of detection content locally on the following pages:

• Detections

  • Writing Python rules and scheduled rules locally

    • Writing Simple Detections (rules) locally

    • Creating Derived Detections (rules)

  • Writing correlation rules locally

  • Writing policies locally

• Other detection content

  • Writing Saved Searches locally

  • Writing Scheduled Searches locally

  • Using Lookup Tables locally

  • Creating Data Models locally

  • Creating global helpers locally

Customizing Panther-managed detections

You can also use PAT to manage Panther-managed detections you've customized. To manage custom detections, you can privately clone or publicly fork the public panther-analysis GitHub repository. Then, upon tagged releases, you can pull upstream changes.

Learn how to fork or clone the panther-analysis repository on Using the Panther detections repo.

Getting updates of Panther-managed detections

When you want to pull in the latest changes from the panther-analysis repository, perform the following steps from your private repo:

# add the public repository as a remote
git remote add panther-upstream [email protected]:panther-labs/panther-analysis.git

# Pull in the latest changes
# Note: You may need to use the `--allow-unrelated-histories`
#       flag if you did not maintain the history originally
git pull panther-upstream main

# Push the latest changes up to your forked repo and merge them
git push

Troubleshooting the Panther Analysis Tool

Visit the Panther Knowledge Base to view articles about the Panther Analysis Tool that answer frequently asked questions and help you resolve common errors and issues.