Thank you for your interest in contributing to Panther's open-source ruleset! We appreciate all types of contributions, including new detection rules, feature requests, and bug reports.
Please familiarize yourself with these helpful resources on writing high-quality Panther rules:
- The blog post Panther's founder, Jack Naglieri, wrote on The Anatomy of a High Quality SIEM Rule
- Panther's Detection Documentation
- The
panther-analysisStyle Guide
Especially excellent contributions will be considered for a quarterly prize! We will announce a winner in the Panther-Analysis Seasonal Newsletter, where we share updates and celebrate contributions to Panther’s open-source ruleset.
Before submitting your pull request, make sure to:
- Write or update relevant unit tests
- Redact any sensitive information or PII from example logs
- Format, lint, and test your changes to ensure CI tests pass, using the following commands:
make fmt make lint make test
- Make desired detection changes. This may include creating new detections in existing log type directories, creating new log type directories, updating existing detections, etc
- Commit both the Python and Metadata files
- Write a clear commit message
- Open a Pull Request.
- Once your PR has been approved by code owners, if you have merge permissions, merge it. If you do not have merge permissions, leave a comment requesting a code owner merge it for you
Please follow the Code of Conduct in all of your interactions with this project.
If you need assistance at any point, feel free to open a support ticket, or reach out to us on Panther Community Slack.
Thank you again for your contributions, and we look forward to working together!