{"id":30178300,"url":"https://github.com/panther-labs/panther-analysis","last_synced_at":"2025-08-12T05:20:16.800Z","repository":{"id":37892137,"uuid":"215863078","full_name":"panther-labs/panther-analysis","owner":"panther-labs","description":"Built-in Panther detection rules and policies","archived":false,"fork":false,"pushed_at":"2025-08-08T18:41:25.000Z","size":6925,"stargazers_count":408,"open_issues_count":10,"forks_count":189,"subscribers_count":35,"default_branch":"develop","last_synced_at":"2025-08-08T20:44:36.551Z","etag":null,"topics":["cybersecurity","python","security","siem"],"latest_commit_sha":null,"homepage":"https://panther.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panther-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-10-17T18:47:09.000Z","updated_at":"2025-08-08T18:41:27.000Z","dependencies_parsed_at":"2022-07-08T18:43:37.404Z","dependency_job_id":"57230efa-af79-4178-bd48-adc8469ef243","html_url":"https://github.com/panther-labs/panther-analysis","commit_stats":{"total_commits":763,"total_committers":89,"mean_commits":8.573033707865168,"dds":0.8689384010484928,"last_synced_commit":"76f27521e0e4c2965e8c0f01fc6b361d09db70c9"},"previous_names":[],"tags_count":185,"template":false,"template_full_name":null,"purl":"pkg:github/panther-labs/panther-analysis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther-analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther-analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther-analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther-analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panther-labs","download_url":"https://codeload.github.com/panther-labs/panther-analysis/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther-analysis/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270005591,"owners_count":24510939,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-12T02:00:09.011Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","python","security","siem"],"created_at":"2025-08-12T05:20:15.682Z","updated_at":"2025-08-12T05:20:16.766Z","avatar_url":"https://github.com/panther-labs.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://panther.com\"\u003e\u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\".img/panther-logo-github-highres-light.png\" width=75%\u003e\n    \u003csource media=\"(prefers-color-scheme: light)\" srcset=\".img/panther-logo-github-highres-dark.png\" width=75%\u003e\n    \u003cimg alt=\"Displays the dark Panther logo in light mode an the light Panther logo in dark mode.\"\u003e\n  \u003c/picture\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003ch3 align=\"center\"\u003eBuilt-in Panther Detections\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://docs.panther.com/quick-start\"\u003ePanther Deployment\u003c/a\u003e |\n  \u003ca href=\"https://docs.panther.com/writing-detections/panther-analysis-tool\"\u003eCLI Documentation\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/panther-labs/panther-analysis/actions/workflows/lint-test.yml\"\u003e\u003cimg src=\"https://github.com/panther-labs/panther-analysis/actions/workflows/lint-test.yml/badge.svg\" alt=\"GitHub Actions Link\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://cla-assistant.io/panther-labs/panther-analysis\" alt=\"CLA Assistant\"\u003e\u003cimg src=\"https://cla-assistant.io/readme/badge/panther-labs/panther-analysis\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nPanther is a modern SIEM built for security operations at scale.\n\nWith Panther, teams can define detections as code and programmatically upload them to your Panther deployment. This repository contains all detections developed by the Panther Team and the Community.\n\nWe welcome all contributions! Please read the [contributing guidelines](https://github.com/panther-labs/panther-analysis/blob/main/CONTRIBUTING.md) before submitting pull requests.\n\n# Quick Start\n\n## Clone the repository\n\n```bash\ngit clone git@github.com:panther-labs/panther-analysis.git\ncd panther-analysis\n```\n\n### Repo Structure\n\nFolders containing detections are organized according to log type in the format of `\u003clog/resource type\u003e_\u003cdetecton_type\u003e`:\n\n- **Rules** analyze [logs](https://docs.panther.com/data-onboarding/supported-logs) to detect malicious activity\n- **Policies** represent the desired secure state of a [resource](https://docs.panther.com/cloud-scanning) to detect security misconfigurations\n- **Scheduled rules** analyze output of periodically executed [SQL queries](https://docs.panther.com/data-analytics/example-queries)\n\n## Configure your Python environment\n\n```bash\npython3 -m pip install pipenv\necho \"PYTHON_BIN_PATH=\\\"$(python3 -m site --user-base)/bin\\\"\" \u003e\u003e ~/.zprofile\necho \"export PATH=\\\"$PATH:$PYTHON_BIN_PATH\\\"\" \u003e\u003e ~/.zprofile\n. ~/.zprofile\nmake install\npipenv shell # Optional, this will spawn a subshell containing pipenv environment variables. Running pipenv run before commands becomes optional after this step\n```\n\n## Code Formatting and Linting (Pre-commit Hooks)\n\nThis repository uses pre-commit hooks to automatically format and lint code before it is committed. This ensures code consistency and helps catch potential errors early.\n\n### Setup\n\nRunning `make install` (as described in the \"Configure your Python environment\" section) installs all necessary dependencies, including `pre-commit`.\n\nAfter the initial setup, you need to install the Git hooks once by running:\n```bash\nmake install-pre-commit-hooks\n```\n\n### Usage\n\nOnce installed, the pre-commit hooks will run automatically each time you run `git commit`.\n\n-   If any formatting changes are made or linting errors are found, the commit will be aborted.\n-   Review the changes made by the formatter (e.g., `black`, `isort`).\n-   Fix any reported linting errors (e.g., by `flake8`, `pylint`).\n-   Stage the changes (`git add .`) and run `git commit` again.\n\nYou can also run the hooks manually on all files using the Make command:\n\n```bash\nmake run-pre-commit-hooks\n```\n\nThis is useful for checking the entire codebase or after making changes to the pre-commit configuration.\n\n### Install dependencies and run your first test\n\n```bash\nmake install\npipenv run panther_analysis_tool test --path rules/aws_cloudtrail_rules/\n```\n\n### Run detection tests\n\n```bash\npipenv run panther_analysis_tool test [-h] [--path PATH]\n                                [--filter KEY=VALUE [KEY=VALUE ...]\n                                [--debug]\n```\n\n### Test with a specific path\n\n```bash\npipenv run panther_analysis_tool test --path rules/cisco_umbrella_dns_rules\n```\n\n### Test by severity\n\n```bash\npipenv run panther_analysis_tool test --filter Severity=Critical\n```\n\n### Test by log type\n\n```bash\npipenv run panther_analysis_tool test --filter LogTypes=AWS.GuardDuty\n```\n\n### Create a zip file of detections\n\n```bash\npipenv run panther_analysis_tool zip [-h] [--path PATH] [--out OUT]\n                               [--filter KEY=VALUE [KEY=VALUE ...]]\n                               [--debug]\n```\n\n### Zip all Critical severity detections\n\n```bash\npipenv run panther_analysis_tool zip --filter Severity=Critical\n```\n\n### Upload detections to your Panther instance\n\n```bash\n# Note: API token and host can also be set as environment variables:\n#   - PANTHER_API_TOKEN\n#   - PANTHER_API_HOST\n\npipenv run panther_analysis_tool upload [-h] [--path PATH] [--out OUT]\n                                  [--filter KEY=VALUE [KEY=VALUE ...]]\n                                  [--debug]\n                                  --api-key YOUR_PANTHER_API_KEY\n                                  --api-token YOUR_PANTHER_API_HOST\n```\n\nGlobal helper functions are defined in the `global_helpers` folder. This is a hard coded location and cannot change. However, you may create as many files as you'd like under this path. Simply import them into your detections by the specified `GlobalID`.\n\nAdditionally, groups of detections may be linked to multiple \"Reports\", which is a system for tracking frameworks like CIS, PCI, MITRE ATT\u0026CK, or more.\n\n## Using [Visual Studio Code](https://code.visualstudio.com/)\n\nIf you are comfortable using the Visual Studio Code IDE, the `make vscode-config` command can configure VSCode to work with this repo.\n\nIn addition to this command, you will need to install these vscode add-ons:\n\n1. [Python](https://marketplace.visualstudio.com/items?itemName=ms-python.python)\n2. [Black Formatter](https://marketplace.visualstudio.com/items?itemName=ms-python.black-formatter)\n3. [Pylint](https://marketplace.visualstudio.com/items?itemName=ms-python.pylint)\n4. [Bandit](https://marketplace.visualstudio.com/items?itemName=nwgh.bandit)\n5. [YAML](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml)\n\nYou will also need Visual Studio's [code](https://code.visualstudio.com/docs/setup/mac#_launching-from-the-command-line) configured to open Visual Studio from your CLI.\n\n`make vscode-config` will configure:\n\n1. Configure VSCode to use the python virtual environment for this repository.\n1. Resolve local imports like global_helpers, which permits code completion via Intellisense/Pylance\n1. Creates two debugging targets, which will give you single-button push support for running `panther_analysis_tool test` through the debugger.\n1. Installs JSONSchema support for your custom panther-analysis schemas in the `schemas/` directory. This brings IDE hints about which fields are necessary for schemas/custom-schema.yml files.\n1. Installs JSONSchema support for panther-analysis rules in the `rules/` directory. This brings IDE hints about which fields are necessary for rules/my-rule.yml files.\n1. Configures `Black` and `isort` settings for auto-formatting on save (thus reducing the need to run `make fmt` on all files)\n1. Configures `pylint` settings for linting when changes are made\n   - Ensure that `\"pylint.lintOnChange\": true` is present in the User-level VSCode settings (`Cmd+Shift+P` -\u003e `Preferences: Open Settings (JSON)`)\n1. Configures `Bandit` settings for linting when files are opened\n\n```shell\nuser@computer:panther-analysis: make vscode-config\n```\n\n## Using Docker\n\nTo use Docker, you can run some of the `make` commands provided to run common panther-analysis workflows. Start by building the container, then you can run any command you want from the image created. If you would like to run a different command, follow the pattern in the Makefile.\n\n```bash\nmake docker-build\nmake docker-test\nmake docker-lint\n```\n\nPlease note that you only need to rebuild the container if you update your `Pipfile.lock` changes, because the dependencies are install when the image is built. The subsequent test and lint commands are run in the image by mounting the current file system directory, so it is using your local file system.\n\n## Using Windows\n\nIf you are on a Windows machine, you can use the following instructions to perform the standard panther-analysis workflow.\n\n1. Install [docker desktop](https://docs.docker.com/desktop/install/windows-install/) for Windows.\n2. Using `make` is recommended. If you would like to use `make`, first install [chocolately](https://chocolatey.org/install), a standard Windows packaging manager.\n3. With chocolately, install the make command:\n\n   ```shell\n   choco install make\n   ```\n\n4. `make` should now be installed and added to your PATH. Try running a `make docker-build` to get started.\n\n# Writing Detections\n\n_For a full reference on writing detections, read our [guide](https://docs.panther.com/writing-detections)!_\n\nEach detection has a Python file (`.py`) and a metadata file (`.yml`) of the same name (in the same location), for example:\n\nExample detection rule: `okta_brute_force_logins.py`\n\n```python\ndef rule(event):\n    return (event.get('outcome', {}).get('result', '') == 'FAILURE' and\n            event.get('eventType') == 'user.session.start')\n\n\ndef title(event):\n    return 'Suspected brute force Okta logins to account {} due to [{}]'.format(\n        event.get('actor', {}).get('alternateId', 'ID_NOT_PRESENT'),\n        event.get('outcome', {}).get('reason', 'REASON_NOT_PRESENT')\n    )\n```\n\nExample detection metadata: `okta_brute_force_logins.yml`\n\n```yaml\nAnalysisType: rule\nFilename: okta_brute_force_logins.py\nRuleID: \"Okta.BruteForceLogins\"\nDisplayName: \"Okta Brute Force Logins\"\nEnabled: true\nLogTypes:\n  - Okta.SystemLog\nTags:\n  - Identity \u0026 Access Management\nSeverity: Medium\n---\nThreshold: 5\nDedupPeriodMinutes: 15\nSummaryAttributes:\n  - eventType\n  - severity\n  - displayMessage\n  - p_any_ip_addresses\nTests:\n  - Name: Failed login\n    ExpectedResult: true\n    Log:\n      {\n        \"eventType\": \"user.session.start\",\n        \"actor\":\n          {\n            \"id\": \"00uu1uuuuIlllaaaa356\",\n            \"type\": \"User\",\n            \"alternateId\": \"panther_labs@acme.io\",\n            \"displayName\": \"Run Panther\",\n          },\n        \"request\": {},\n        \"outcome\": { \"result\": \"FAILURE\", \"reason\": \"VERIFICATION_ERROR\" },\n      }\n```\n\n# Customizing Detections\n\nCustomizing detections-as-code is one of the most powerful capabilities Panther offers. To manage custom detections, you can create a private fork of this repo.\n\nUpon [tagged releases](https://github.com/panther-labs/panther-analysis/releases), you can pull upstream changes from this public repo.\n\nFollow the instructions [here](https://docs.panther.com/panther-developer-workflows/ci-cd/detections-repo) to get started with either a public fork or a private cloned repo to host your custom detection content.\n\n## Getting Updates\n\nWhen you want to pull in the latest changes from this repository, we recommend leveraging the [included GitHub Action](https://docs.panther.com/panther-developer-workflows/detections-repo/public-fork#keeping-in-sync-with-upstream).\n\nIf you wish to sync manually, the process below can be run from a terminal.\n\n```bash\n# add the public repository as a remote\ngit remote add panther-upstream git@github.com:panther-labs/panther-analysis.git\n\n# Pull in the latest changes\n# Note: You may need to use the `--allow-unrelated-histories`\n#       flag if you did not maintain the history originally\ngit pull panther-upstream main\n\n# Push the latest changes up to your forked repo and merge them\ngit push\n```\n\n# Remove Deprecated Formatters\n\nPreviously, Node, NPM and Prettier were used for formatting Markdown and YAML files; these are no longer in use.\n\nDepending on how Node is managed, it will need to be uninstalled or removed if it is no longer needed elsewhere. Refer to your system/package manager's documentation for instructions on removing Node.\n\nOtherwise, running `npm uninstall prettier` will remove Prettier.\n\n# License\n\nThis repository is licensed under [Apache License, Version 2.0](https://github.com/panther-labs/panther-analysis/blob/main/LICENSE.txt).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanther-labs%2Fpanther-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanther-labs%2Fpanther-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanther-labs%2Fpanther-analysis/lists"}