Report Mapping

Map detections to compliance frameworks in Panther


Panther supports the ability to map rules, policies, and scheduled rules to compliance frameworks for the purposes of tracking coverage against that framework.


Version 1.37 and newer allows you to directly map your Detection against the MITRE ATT&CK Matrix. To learn how to assign Tactic and Technique combos to your Detections, see the documentation: MITRE ATT&CK Matrix.

How to map a detection to a framework

Panther Console
Panther Analysis Tool
  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the left sidebar, click Build > All Detections. Click the three dots icon in the upper right side of a Detection to view its details.
  3. 3.
    Click the Report Mapping tab.
  4. 4.
    Under Report Mapping:
    • Enter the framework name into the Report Key field.
    • Enter the specific framework requirement name into the Report Values field.
      • You can enter multiple report values separated by a comma.
        The image shows the Reporting Mapping section at the bottom of a detection in the Panther Console. The Report Key field contains "PCI" and the Report Values field contains "1.1.5".
  5. 5.
    Click Update in the upper right corner.
You can view the report mapping in the Detection Details page:
A detection's details page in the Panther Console is displayed. At the bottom of the details, the Report Mappings are listed.
You can add report mappings using the Detection metadata yaml files in source code via Panther Analysis Tool (PAT).
For a given Detection, add the report key and value under the Reports yml tag:
Report Key:
- Report Value
Once the detection has been uploaded via Panther Analysis Tool or bulk uploaded, the changes will be reflected in the Panther Console.