Panther Universal Detections, groups all the rules that rely on data models and all of their dependencies.
panther-analysisrepository, the list packs page will be display an
update availableflag next to the relevant items.
MANAGED, and detections that are not part of an enabled detection pack will be labeled as
Packsto view a list of the provided packs.
Backup.<original.id>.N, where N is the number of backups already existing for that detection. For example,
Backup.Standard.BruteForceByIp.2is a backup for the detection
Packs. From the list of packs on this page, you can toggle the
enabledslider to enable or disable individual packs.
enabledslider to enable or disable the pack.
panther-analysisrepository. These updates will automatically be detected by panther, and the pack overview page will show an
Update Availableflag next to relevant packs.
Packs. From this pack overview page, you can update the detections by selecting the version from the dropdown menu and hitting the
panther-analysis.sig. This ensures that any detections being imported have not been tampered or modified. If you would like to use similar functionality, create a sign/verify KMS key. Then, modify the policy to allow panther to run
kms:Verifyusing that key.
Generaland click on the
Detection Pack Sourcestab.
+at the top right. Enter in the approrpriate field names for each input field and click
AccessTokenfields for a pack source, first go to the pack source details by selecting the pack source of interest from the list of pack sources. From this page, edit the fields of interest, and click
...next to the pack source you would like to delete and select "delete."
panther_analysis_toolcan streamline the process of creating an appropriate Github release, with or without an associated signature file.
GITHUB_TOKENenvironment variable to a personal access token with appropriate permissions to access the target repository. Then, use the