How to write a custom detection rule for Panther?

Create a Python file for logic and a YAML file for metadata, following examples in the README like okta_brute_force_logins. Use the panther_analysis_tool to test locally with commands like 'panther_analysis_tool test --path rules/' before uploading.

Panther Analysis vs Sigma rules: which is better for threat detection?

Panther Analysis is specific to Panther SIEM and uses Python/YAML for deep customization, while Sigma is a generic, portable rule format for multiple SIEMs. Choose Panther if locked into their platform; Sigma for cross-SIEM flexibility.

How to upload detections to Panther using the CLI?

Use the panther_analysis_tool upload command with your API key and host, as shown in the README. You can filter by severity or path, and set environment variables for API tokens to streamline the process.

What cloud services are supported by Panther detections?

Panther supports logs from AWS, Okta, Cisco Umbrella, and others, with rule folders organized by log type. Check the README's 'LogTypes' in examples and documentation links for a full list of supported services.

Can I use Panther Analysis without a Panther subscription?

No, Panther Analysis is designed exclusively for the Panther SIEM platform. You need a Panther deployment to upload, run, and manage these detections; it's not a standalone tool.

How to test detections locally before deploying?

Run the panther_analysis_tool test command with paths or filters, as detailed in the README. It executes tests defined in YAML metadata, and you can use Docker via 'make docker-test' for isolated environments.

Panther Labs Detection Rules

Apache-2.0Pythonv3.108.1

A collection of built-in detection rules and policies for Panther, a modern SIEM, enabling security monitoring as code.

Visit Website

What is Panther Labs Detection Rules?

Panther Analysis is the official repository of built-in detection rules and policies for the Panther SIEM platform. It provides a library of security logic written as code to analyze logs, scan cloud resources, and detect threats. This enables security teams to implement, customize, and deploy detections programmatically within their Panther deployment.

Target Audience

Security engineers, SOC analysts, and DevOps teams using Panther for security monitoring who need pre-built, customizable detection content and a framework for managing detections as code.

Value Proposition

It offers a robust, community-vetted library of security detections that integrate seamlessly with Panther, reducing the time to value for threat detection and enabling teams to adopt a modern, code-driven security operations workflow.

Overview

Built-in Panther detection rules and policies

Use Cases

Best For

Teams deploying Panther SIEM who need out-of-the-box detection rules

Related Projects

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

GitHub

452 stars203 forks0 contributors

Security engineers wanting to customize and extend detection logic with code

Organizations requiring detections mapped to compliance frameworks like CIS or MITRE ATT&CK

SOC teams analyzing logs from AWS, Okta, and other supported services

Implementing detection-as-code practices for version control and testing

Automating the upload and management of detections via CLI

Not Ideal For

Organizations using other SIEM platforms like Splunk or Elastic SIEM
Teams seeking a no-code, graphical rule builder without Python/YAML development
Projects with log types or cloud providers not supported by Panther's data onboarding
Small security teams lacking resources for maintaining a detection-as-code pipeline

Pros & Cons

Pros

Extensive Pre-built Detections

The repository includes hundreds of rules for services like AWS CloudTrail and Okta, enabling quick threat detection deployment. Evidence: README shows example rules in folders like 'rules/aws_cloudtrail_rules/' and 'okta_brute_force_logins'.

Detection-as-Code Workflow

Supports version control, automated testing with panther_analysis_tool, and CI/CD integration for security logic. README details testing, zipping, and uploading via CLI commands.

Community-Driven Updates

Curated contributions from Panther Labs and open-source ensure vetted detections, with processes for pulling upstream changes. README includes contributing guidelines and syncing instructions.

Compliance Framework Mapping

Detections can be linked to frameworks like CIS and MITRE ATT&CK, aiding in compliance reporting. README mentions 'Reports' for tracking multiple frameworks.

Cons

Vendor-Specific Dependency

Tightly coupled with Panther SIEM; detections cannot be used or ported to other security tools without significant rework, as implied by the need for Panther deployment and API integration.

Steep Implementation Complexity

Setting up requires multiple steps: Python virtual environments with pipenv, Docker, pre-commit hooks, and VSCode configuration, which can be daunting for new users. README details extensive setup commands.

Limited Customization Scope

Global helpers have a hard-coded location that cannot change, restricting how shared code is organized. README explicitly states: 'This is a hard coded location and cannot change.'

Frequently Asked Questions

Home

Detection Engineering

Sigma Rules

Main Sigma Rule Repository

Stars10,466

Forks2,614

Last commit2 days ago

Elastic Detection Rules

Detection Rules is the official repository for the rules used by Elastic Security's Detection Engine. It provides a comprehensive toolkit for security teams to develop, validate, test, and release detection logic in a structured, code-driven manner. This approach enables version control, automated testing, and streamlined integration with the Elastic SIEM. ## Key Features - **Rule Development & Management** — Python module for parsing, validating, and packaging detection rules from TOML files. - **Detections as Code (DaC)** — Full pipeline and CLI tools to manage rules with version control and automated workflows. - **Unit Testing Framework** — Integrated Python testing suite to validate rule logic and ensure reliability. - **Kibana Integration** — Library for API calls to Kibana and the Detection Engine for seamless rule deployment. - **KQL Validation** — Library for parsing and validating Kibana Query Language used in rule conditions. - **Threat Hunting Packages** — Dedicated directory for storing and managing threat hunting queries and packages. ## Philosophy The project embraces a Detections-as-Code philosophy, treating security rules as software artifacts to improve maintainability, collaboration, and automation in threat detection.

Stars2,585

Forks657

Last commit1 day ago

KQL Advanced Hunting Queries & Analytics Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Stars1,697

Forks323

Last commit11 days ago

Splunk Security Content

Detection Engineering1.2k