Creating PyPanther Detections
Last updated
Was this helpful?
Last updated
Was this helpful?
PyPanther Detections are in closed beta starting with Panther version 1.108. Please share any bug reports and feature requests with your Panther support team.
You can import Panther-managed PyPanther Detections and make your own modifications, as well as create your own custom ones. After you've created detections, you can register, test, and upload them.
Before writing PyPanther Detections, you’ll need to set up your environment. See Getting started using PyPanther Detections.
When working with PyPanther Detections:
A main.py file controls your entire detection configuration, outlining which rules to register, override configurations, and custom rule definitions. You can either:
(Recommended) Define your detections in various other files/folders, then import them into main.py (learn more in the PyPanther Detections Style Guide)
Define your detections in main.py
A PyPanther rule is defined in a single Python file. Within it, you can import Panther-managed (or your own custom) PyPanther rules and specify overrides. A single Python file can define multiple detections.
All PyPanther rules subclass the pypanther Rule class or a parent class of type Rule.
Rules must be registered to be tested and uploaded to your Panther instance.
All event object functions currently available in v1 detections are available in PyPanther Detections. These include: get(), deep_get(), deep_walk(), and udm().
All alert functions available in Python (v1) detections are available in PyPanther Detections, such as title() and severity(). See Rule auxiliary/alerting function reference.
Use the pypanther type-ahead hints in your IDE, like searching for available rules or viewing properties of classes.
A "custom" PyPanther rule is one that you write completely from scratch—i.e., one that isn't built from a Panther-managed rule. Custom PyPanther rules are defined in a Python class that subclasses the pypanther Rule class. In this class, you must:
Define a rule() function
(Optional) Define any of the other alert functions, like title() or destinations()
Define certain attributes, such as log_types
(Optional) Define additional attributes, such as threshold or dedup_period_minutes
The id attribute is only required for a rule if you plan to register it.
See the Rule property reference section for a full list of required and optional fields.
Panther-managed rules can be imported directly or using the get_panther_rules() function.
Panther-managed rules currently all have a -prototype suffix (e.g., AWS.Root.Activity-prototype). This is temporary, and will be removed in the future.
You may want to import Panther-managed rules (into main.py or another file) to either register them individually as-is, set overrides on them, or subclass them. You can import Panther-managed rules directly (from the pypanther.rules module) or by using the get_panther_rules() function.
To import a Panther-managed rule directly using the rules module, you would use a statement like:
The get_panther_rules() function can filter on any Rule class attribute, such as default_severity, log_types, or tag. When filtering, keys use AND logic, and values use OR logic.
Get all Panther-managed rules using get_panther_rules():
Get Panther-managed rules with certain severities using get_panther_rules():
Get Panther-managed rules for certain log types using get_panther_rules():
Get Panther-managed rules that meet multiple criteria using get_panther_rules():
See Using list comprehension for an example of how to use get_panther_rules() with advanced Python.
Once you’ve imported a Panther-managed rule, you can modify it using overrides or inheritance.
If your objective is to modify a rule's logic, it's recommended to use include/exclude filters instead of overriding the rule() function itself. Learn more in Use filters instead of overriding rule().
When making overrides on Panther-managed detections, it's recommended to:
Outside of main.py, store all of your overrides in apply_overrides() functions.
In main.py, call pypanther's apply_overrides() to apply each of your apply_overrides() functions.
Learn more about apply_overrides() in PyPanther Detections Style Guide.
You can override a single rule attribute in a one-line statement using the override() function:
It’s also possible to make multi-attribute overrides with the override() function:
To apply overrides on multiple rules at once, iterate over the collection using a for loop.
This could be useful, for example, when updating a certain attribute for all rules associated to a certain LogType.
When making modifications to an existing rule, you might want to add items to a list-type rule attribute (like tags, tests, include_filters, or exclude_filters) while preserving the existing list.
Instead of overriding the attribute (using one of the methods in Applying overrides on existing rules), which would replace the existing list value, use the pypanther extend() function to append new values to the list attribute.
PyPanther Detection filters let you exclude certain events from being evaluated by a rule. Filters are designed to be applied on top of existing rule logic (likely for Panther-managed PyPanther Detections you are importing).
Each filter defines logic that is run before the rule() function, and the outcome of the filter determines whether or not the event should go on to be evaluated by the rule.
Common use cases for filters include:
To target only certain environments, like prod
To exclude events that are known false positives, due to a misconfiguration or other non-malicious scenario
There are two types of filters:
include_filters: If the filter returns True for an event, the event is evaluated by rule()
exclude_filters: If the filter returns True for an event, the event is dismissed (i.e., not evaluated by rule())
The Rule base class has include_filters and exclude_filters attributes, which each contain a list of functions that will be evaluated against the log event.
Examples as standalone functions:
Example as part of an inherited rule definition:
Filters can also be reused with a for loop to be applied to multiple rules:
Panther-managed rules that require some customer configuration before they are uploaded into a Panther environment may include a validate_config() function, which defines one or more conditions that must be met for the rule to pass the test command (and function properly).
Most commonly, validate_config() verifies that some class variable, such as an allowlist or denylist, has been assigned a value. If the requirements included in validate_config() are not met, an exception will be raised when the pypanther test command is run (if the rule is registered).
Example:
In this example, if allowed_domains is not assigned a non-empty list, an assertion error will be thrown during pypanther test.
To set this value, you can use a statement like:
You can use inheritance to create rules that are subclasses of other rules (that are Panther-managed or custom).
It’s recommended to use inheritance when you’re creating a collection of rules that all share a number of characteristics—for example, rule() function logic, property values, class variables, or helper functions. In this case, it’s useful to create a base rule that all related rules inherit from.
For example, it may be useful to create a base rule for each LogType, from which all rules for that LogType are extended.
Inheritance is commonly used with filters—i.e., subclassed rules can define additional criteria an event must meet in order to be processed by the rule.
If you don’t plan to register a base rule, it’s not required to provide it an id property.
Example:
Because PyPanther rules are fully defined in Python, you can use its full expressiveness when customizing your detections.
super()For more advanced use cases, you can supplement the logic in functions defined by the parent rule.
You can use Python’s list comprehension functionality to create a new list based on an existing list with condensed syntax. This may be particularly useful when you want to filter a list of detections fetched using get_panther_rules().
