panther_analysis_tool is a Python command line interface for testing, packaging, and deploying Panther Policies and Rules.
Install the panther_analysis_tool with the following command:
pip3 install panther-analysis-tool
It's best practice to create an internal fork of Panther's open source analysis repository. To get started, navigate your local checked out copy of your custom detections.
We recommend grouping rules based on log type, such as
aws_cloudtrail. Use the open source Panther Analysis packs as a reference.
Each rule consists of a Python file (
<my-rule>.py) containing your detection logic and a YAML/JSON specification (
<my-rule>.yml) with the rule's attributes.
Write your rule and save it as
The specification file MUST:
Be valid JSON or YAML
AnalysisType field with the value
Define the additional following fields:
An example specification file:
AnalysisType: ruleEnabled: trueFilename: my_new_rule.pyRuleID: Category.Behavior.MoreInfoDisplayName: Example Rule to Check the Format of the SpecDedupPeriodMinutes: 60 # 1 hourLogTypes:- Log.Type.HereSeverity: Info, Low, Medium, High, or CriticalTags:- Tags- Go- HereRunbook: Find out who changed the spec format.Reference: https://www.link-to-info.io
In your spec file, add the following key:
Tests:-Name: Name to describe our first test.LogType: Log.Type.HereExpectedResult: true/falseLog:Key: ValuesFor: Our LogBased: On the Schema
panther_analysis_tool test --path <path-to-your-rules>
Filtering based on rule attributes:
panther_analysis_tool test --path <path-to-your-rules> --filter RuleID=Category.Behavior.MoreInfo
Make sure to configure your environment with valid AWS credentials prior to running the command below. By default, this command will upload based on the exported value of
panther_analysis_tool upload --path <path-to-your-rules> --out tmp