Modifying Detections with Rule Filters (Beta)
Modify an existing rule without writing code
Rule filters are in open beta as of Panther version 1.54. Please share any bug reports and feature requests with your account team.
In the Panther Console, you can easily tune existing rules, including Panther-managed rules, by adding Rule Filters. Because Rule Filters are code-free, they expand who, on your security team, can contribute to detection fidelity. Note that Rule Filters are available only on rules, not scheduled rules nor policies.
Filter statements are evaluated before a detection's rule function. A filter must return
true (i.e., match the event) for the rule function, which is written in code, to then be run. Based on the detection's log type, you can select a field to filter on. From there, you will specify the operator and, if applicable, input a value. A common use case for filters is to add an allowlist or denylist.
When building a filter, consider the following:
- When multiple filters are included on one rule, they run using
ANDlogic.ORstatements are not supported.
- Filters are not available during new rule creation.
- When you clone a rule, or export it from the Panther Console, filters are not included.
- 1.Log in to the Panther Console.
- 2.In the left sidebar, click Build > Detections.
- 3.In the list of detections, click a rule's name to view its details page.
- 4.In the upper right corner of the rule details page, click Edit.
- 5.Click the Functions & Tests tab and locate the Filters header. Click +Add New.
- 6.Specify a field, operator, and applicable value(s).
- Run the unit tests to ensure they pass with the added filter(s).
- 7.At the top of the page, click Update to save your changes.
If an event does not contain the field the filter is evaluating, the filter will pass. If the field the filter is evaluating has a value of
none, the filter will return false on positive comparators or on comparators that don't apply, and true for inverse comparators.If the Rule Filter operator you've selected requires the value field to take in an array (such as the
is in operator), you'll input the array values in a modal that pops up when you click into the value field.To add values to an array:
- 1.After selecting a Field and Operator for your Filter, click into the values field.
- This will open the array input modal.
- 2.In the modal, enter the array value(s) in the input field.
- If your input is comma-delimited, check the Values entered above are comma-delimited checkbox.
- When this field is checked, the text inputted into the values field will be separated (using a comma delimiter) into multiple values. For example, entering "User 1,User 2,User 3" will result in three values added.
- If your input is not comma-delimited, leave Values entered above are comma-delimited unchecked.
- When this field is unchecked, you can add values that contain commas one at a time. For example, entering "1,000" will add just one value.
- 3.Click Add.
- 4.Repeat steps 2-3 as needed, until all values have been added to the array.
- 5.Click Apply.
For Panther-managed rules with filters, you currently cannot add or edit unit tests. You cannot save a rule if the unit test does not pass.
If a unit test fails, take the following steps:
- 1.Clone the Panther-managed rule.
- 2.Add your filter(s) to the cloned rule.
- 3.Edit the unit tests for the cloned rule so that they pass.
Refer to the below operators and value types when building out your filters.
Operation | Usage guidelines | Supported field types | Examples |
|---|---|---|---|
is / is not | Valid for a single value. Results include only events where the field matches/ does not match the value in the filter. | string, ip, bool, int | username is “root” |
is in / is not in | Valid for multiple values. Results include only events where the field matches/does not match an entry in the list of values in the filter. | string, int | username is in [ “root”, “admin” ]
port is in [25, 553] |
is empty | Valid for an event where the field's value is not specified. The operator tests only for the absence of data. | string, int array, ip array, float array, bool array, string array | errors_list is empty |
is not empty | Valid for an event where the field's value is specified. The operator tests only for the presence of data. | string, int array, ip array, float array, bool array, string array | errors_list is not empty |
contains | Valid for an event that contains a specific single value or multiple values. Results include only events where at least one of the values is in the filter. | string, int array, ip array, bool array, string array | domain contains “.google.com”
p_any_port contains 22 |
does not contain | Valid for events that contain a specific single value or multiple values. Results include only events that do not contain any of the values in the filter. | string, int array, ip array, bool array, string array | domain !contains “.google.com”
p_any_port !contains 22 |
starts with | Valid for events that begin with a value. | string | role starts with “admin_” |
ends with | Valid for events that end with a value. | string | domain ends with “.cc” |
is greater than | Valid for a single value. Results include only events where the field is greater than the value in the filter. | int, float | port > 1023 |
is less than | Valid for a single value. Results include only events where the field is less than the value in the filter. | int, float | port < 1024 |
is greater than or equal | Valid for a single value. Results include only events where the field is greater than or equal to the value in the filter. | int | count ≥ 1 |
is less than or equal | Valid for a single value. Results include only events where the field is less than or equal to the value in the filter. | int | count ≤ 100 |
is private | Valid for private IPs | IP | dst_ip is_private |
is public | Valid for public IPs | IP | src_ip is_public |
is in CIDR / is not in CIDR | Valid for addresses within a CIDR (Classless Inter-Domain Routing) block. Results include only events where the field is/is not in the CIDR block in the filter. | IP | src_ip in_cidr 192.168.0.0/16 |
does not contain IP in CIDR | Valid for an array of IPs that does not contain any IP address within a CIDR block. Results include only events where the field does not contain any IP address within the CIDR block in the filter. | ip array | p_any_ip_address !contains_ip 8.8.0.0/16
p_any_ip_address !contains_ip 1.1.1.1/32 |
contains IP in CIDR | Valid for an array of IPs containing any IP address within a CIDR block. Results include only events where the field contains at least one IP address within the CIDR block in the filter. | ip array | p_any_ip_address contains_ip 8.8.0.0/16
p_any_ip_address contains_ip 1.1.1.1/32 |
Value types | Description |
|---|---|
string | A string value |
int | A 32-bit integer number in the range -2147483648, 2147483647 |
float | A 64-bit floating point number |
boolean | A boolean value true / false |
array | A JSON array where each element is of the same type |
ip | A single valid IPv4 or IPv6 address |
CIDR | A classless inter-domain routing block |
Last modified 10d ago