panther_analysis_tool
(PAT) is an open source utility for testing, packaging, and deploying Panther detections from source code.suricata_rules
or aws_s3_policies
. Use the open source Panther Analysis packs as a reference.True
indicates suspicious activity, which triggers an alert.AnalysisType
rule
Enabled
FileName
RuleID
LogTypes
Severity
Info
, Low
, Medium
, High
, or Critical
Description
DedupPeriodMinutes
15
,30
,60
,180
(3 hours),720
(12 hours), or 1440
(24 hours)DisplayName
RuleID
will be displayed if this field is not set.OutputIds
Reference
Reports
Runbook
SummaryAttributes
Threshold
Tags
Tests
AnalysisType
scheduled_query
QueryName
Enabled
Tags
Description
Query
SnowflakeQuery
AthenaQuery
Schedule
Tests
key with sample cases:True
indicates this resource is valid and properly configured. Returning False
indicates a policy failure, which triggers an alert.AnalysisType
policy
Enabled
FileName
PolicyID
ResourceTypes
Severity
Info
, Low
, Medium
, High
, or Critical
ActionDelaySeconds
AutoRemediationID
AutoRemediationParameters
Description
DisplayName
PolicyID
will be displayed if this field is not set.Reference
Reports
Runbook
Tags
Tests
Tests
key:Resource
can be a JSON object copied directly from the Policies > Resources explorer.Mocks
key to your test case. The Mocks
key is used to define a list of functions you want to mock, and the value that should be returned when that function is called. Multiple functions can be mocked in a single test. For example, if we have a rule test and want to mock the function get_counter
to always return a 1
and the function geoinfo_from_ip
to always return a specific set of geo IP info, we could write our unit test like this:global_helpers
folder with a similar pattern to rules and policies.global_helpers
folder will not be loaded.global_helpers/acmecorp.py
):AWS_REGION
.panther_analysis_tool upload --path <directory>
will upload everything from <directory>
, it will not delete anything in your Panther instance if you simply remove a local file from <directory>
. Instead, you can use the panther_analysis_tool delete
command to explicitly delete detections from your Panther instance.
To delete a specific detection, you can run the following command:panther_analysis_tool
with detection packs and pack sources.