Using Panther-managed Detections
Enable prewritten detections, with the option to customize
Last updated
Enable prewritten detections, with the option to customize
Last updated
Panther comes with a number of out-of-the-box Python detections, called Panther-managed detections. Panther has written the core logic of these detections and periodically releases improvements for them. A Panther-managed rule can be tailored to meet your precise need by easily tuning it with Rule Filters. You can work with Panther-managed detections in your Panther Console, or by using Panther CLI workflows.
Using Panther-managed detections not only saves you the effort of having to write your own from scratch, but also provides the ongoing benefit of receiving improvements to core detection logic over time, as Panther releases new versions.
Most Panther-managed detections are contained within Detection Packs—logical groupings of detections—though some aren't, typically because they require some additional configuration, such as adding custom values to an allowlist or denylist. Excluding these detections from Packs reduces the likelihood of them being enabled without the required configuration and generating false positive alerts. Some examples of Panther-managed detections that are not in a Pack are:
Currently, only Python Panther-managed detections are available for you to clone, modify and upload. YAML Panther-managed detections are planned for a future release.
The full list of Panther-managed detections is viewable on Panther's website, as well as in the Console and on GitHub, as explained below.
You can view Panther-managed detections in your Console:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
In the upper right corner, click Filters.
In the Created by filter, choose Created by Panther.
Optionally, select the Log Types you'd like to view detections for.
Click Apply Filters.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.
Panther-managed detections can be enabled and disabled in your Panther Console or by using Panther CLI workflows:
Panther-managed detections can be enabled and disabled in your Panther Console.
To enable or disable a Panther-managed detection from the detections list page:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Find the Panther-managed detection you'd like to enable or disable.
At the top of the page, click Enable or Disable.
To enable or disable a Panther-managed detection from its details page:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Find the Panther-managed detection you'd like to enable or disable.
Click the detection's name, to be taken to its details page.
In the upper right corner, switch the Enabled toggle ON or OFF.
In the upper right corner, click Update.
Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones listed above), contact your Panther support team for help loading it in.
To update your Panther-managed detection when Panther releases a new version (or revert to a previous one), follow the Update or roll back Detection Pack instructions on Detection Packs.
Note that only those Panther-managed detections included in Detection Packs are versioned, and therefore eligible to be updated or rolled back.
You can customize a Panther-managed detection by adding Rule Filters or modifying its editable fields. For Panther-managed detections included in Detection Packs, this means you can add your own tuning while still being able to upgrade your detections as Panther releases updates to core detection logic.
If you need to modify the core rule logic of a Panther-managed detection (which is read-only), you can alternatively clone and edit it. Because a cloned detection is managed by you, not Panther, it won't receive Panther's improvements to core detection logic over time. For this reason, we recommend using the customization techniques outlined in this section, if possible.
You can easily tune Panther-managed rules by adding Rule Filters. See Modifying Detections with Rule Filters for detailed instructions.
Rule Filters will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
Note that Rule Filters are applicable only to rules, not policies nor scheduled rules.
Panther-managed detections, while disallowing you from editing core detection logic, do allow you to customize certain metadata fields in the Panther Console. (All other fields will be greyed out in the Panther Console, and the Rule Function and Unit Test editors will be read-only.) These editable fields include:
Enabled / Disabled
Severity
Deduplication Period
Events Threshold
Destination Overrides
Runbook
Any changes made to these fields in the Panther Console will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version.
You can make changes to the editable fields in the Panther Console:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Locate the detection you want to edit, then click on its name to be brought to its details page.
Scroll down to the Set Alert Fields section.
Make any desired changes to the detection.
Fields that are not editable will be greyed out.
Click Update in the upper right side of the page to save your changes.
If a Panther-managed detection doesn't fit your needs, you can clone it, then edit the cloned copy:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Locate the detection you want to edit, then click on its name.
You will be redirected to the standard detection creation interface. Optionally update the cloned detection's Name.
The name of a cloned detection, by default, will have (Copy)
appended to it.
In the upper-right corner, click Continue.
On the cloned detection's details page, make any desired changes to your cloned copy of the detection.
The Enabled toggle will default to the enabled status of the original detection, i.e., if the Panther-managed detection was disabled, the toggle will be set to OFF.
Note that cloning and editing a detection does not changed the Enabled status of the original detection. This means if the original Panther-managed detection was enabled but you intend for your customized copy to replace it, you must go back and disable the Panther-managed detection.
The cloned detection will not be managed by Panther or receive continuous updates (as Panther-managed detections included in Detection Packs do). The original version of the detection (if contained in a Pack) will continue to receive updates as normal, whether it is enabled or disabled.
An alert runbook is a set of directions for remediating an issue that triggered an alert. Panther provides alert runbooks for a number of Panther-managed policies and rules—find them in Alert Runbooks.
To the left of the detection name, click the checkbox.
In the upper right corner of the detection's details page, click the three dots > Clone.
In the upper-right corner, click Save.