Rules and Scheduled Rules
Rules and scheduled rules detect suspicious activity in logs, then generate alerts
Last updated
Was this helpful?
Rules and scheduled rules detect suspicious activity in logs, then generate alerts
Last updated
Was this helpful?
Rules and scheduled rules are segments of logic through which log data is run to detect suspicious activity and generate (and optionally ). Rules analyze real-time events, while scheduled rules analyze events queried from your data lake. These detection types differ from , which apply to cloud resource configurations.
Rules can be created in the Console using the or by writing ; in the CLI workflow, rules can be written or in . Scheduled rules can be written in (in the Console or CLI workflow).
Rules can use , which allows you to created one or more Derived Detections from a single Base Detection.
If you'd like to create rules or scheduled rules for actions that aren't worthy—at least on their own—of generating an alert, you can (only generating ). You may then want to include those rules in a .
Panther provides a number of in Python, which are already written and continuously updated. Rules can use , which allows you to create one or more Derived Detections from a single Base Detection. You can also .
Common examples of rules include analyzing logs for:
Authentication from unknown or unexpected locations
Sensitive API calls, such as administrative changes to SaaS services
Network traffic access to sensitive data sources, such as databases or virtual machines
New, suspicious entries added into a system's scheduled tasks, like cron
Alerts generated from NIDS, HIDS, or other security systems
Both rules and scheduled rules define logic through which log events are run—but rules analyze real-time events, while scheduled rules analyze events queried from your data lake.
Rules
Rules are the default mechanism of analyzing data sent to Panther. Rules work by accepting a defined set of log types such as one or more of the , or your own . Rules have the benefit of low-latency detection and alerting.
Use cases: High-signal logs that do not require joins with other data.
Rules may also be known as streaming rules, real-time rules, and low-latency rules.
Scheduled rules
Scheduled rules work by accepting individual rows output from an associated .
Use cases: Searching windows of time further in the past, running statistical analysis over data, or joining separate data streams.
Rules and scheduled rules each analyze one event at a time. They use event thresholds and de-duplication to create event grouping within windows of time.
The order of precedence for setting the alert title is as follows:
If title() is not defined, the value of the detection's display name is used. This is defined:
In the Console: in the Name field
In the CLI workflow: in the DisplayName field in the YAML file
If there is no display name defined, the detection's ID is used. This is defined:
In the Console: in the ID field
In the CLI workflow: in theRuleID or PolicyID field in the YAML file
Events triggering the same detection within its deduplication period that also share a deduplication string will be grouped together in a single alert.
Each rule and scheduled rule has a default event threshold of 1 and deduplication period of 1h. This means all events returning True from the rule function (with the same deduplication string) will be grouped into a single alert within the hour after first being generated.
A rule or scheduled rule with an event threshold of 5 and deduplication period of 15m would not trigger an alert until five or more events (with the same deduplication string) passed into the rule function returned True within a 15-minute time period.
The deduplication period is not affected by changing the status of an alert. This means, for example, events will continue to be grouped into the same alert for the length of the deduplication period even if an alert's status is changed to Resolved.
The order of precedence for setting the deduplication string is as follows:
Which method you use to set the deduplication string depends on how granularly you want to group alerts:
If you only want alerts generated by a certain detection to be grouped separately from alerts from other detections, using the detection's display name (given that the display name is unique) or ID as the deduplication string will suffice.
Note: Anything printed to stdout or stderr by your Python code will end up in CloudWatch. For SaaS/CPaaS customers, Panther engineers can see these CloudWatch logs during routine application monitoring.
Follow the below instructions to learn how to write rules:
If the Scheduled Search returns multiple rows, each row is processed by the rule logic as a separate event. The number of alerts triggered depends on the deduplication settings you've configured on the scheduled rule.
Follow the below instructions to learn how to write scheduled rules:
A detection's code raises an exception.
Python processing of a rule or Scheduled Rule runs longer than 15 seconds.
See how one detection is represented in both Python and as a Simple Detection:
As an example, let's write a rule to send an alert when an admin panel is accessed on a web server.
Take the following NGINX log:
We want to create a detection that:
Looks for 200 (OK) web requests to any URL containing "admin-panel"
Generates an an alert title that says there has been successful admin panel logins from a specific IP address
Deduplicates events based on IP address
Then, the following would occur:
The alert's title would say, "Successful admin panel login detected from 180.76.15.143".
Similar events with the same deduplication string of 180.76.15.143 would be appended to the same alert.
A unique alert will be generated for each unique deduplication string, which in this case, is the IP of the requestor.
We recommend following these guidelines to define alert severity levels:
Severity
Exploitability
Description
Examples
Info
None
No risk, simply informational
Gaining operational awareness.
Low
Difficult
Little to no risk if exploited
Non-sensitive information leaking such as system time and OS versions.
Medium
Difficult
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
High
Moderate
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Critical
Easy
Causes extreme damage if exploited
Public data/systems available, leaked access keys.
If you are writing rules locally, in the , you can create them as Python or Simple Detections. (Scheduled rules can only be written in Python.) There are advantages to both methods of rule creation, outlined below.
when:
The complexity of the logic is very high, or the detection requires any of the features currently listed as .
when:
You'd like to promote collaboration between team members with differing levels of technical skill. When Simple Detections written in the CLI workflow are uploaded to Panther, they're represented in the Console in the . You can then edit (or create new) detections in the Console using the Simple Detection builder.
For examples of the same detection logic written in both Python and YAML, see .
At a minimum, each rule and scheduled rule must define rule logic. For , this means they each must contain a rule() function; for , each must contain a Detection key with at least one .
Python rules can also define , and Simple Detections can use . Both can use , which run before detection logic.
Rules cannot run longer than 15 seconds. If this happens, a is generated and processing is terminated. (This constraint does not apply to scheduled rules.)
Matches on rules and scheduled rules generate . When rules and scheduled rules have alerting enabled, rule matches are generated, which can create alerts, according to event threshold and deduplication configurations. .
When a detection has alerting enabled, the title of a resulting alert is determined by that detection's configuration. When a separate is not explicitly set, the alert title is also used to deduplicate alerts.
The output of the dynamic function is used.
In the developer workflow: in the field
If your deduplication threshold is greater than one (meaning multiple events must match before an alert is generated), the first matching event will be used as the event parameter to and .
The detection editor in the Panther Console supports a maximum deduplication period of 24 hours. If you upload your detections via the bulk uploader or the , there is no limit on the value of DedupPeriodMinutes.
The output of the dynamic function is used.
Ifdedup() is not defined, the alert title is used. The alert title is defined by .
The value of the key is used.
If GroupBy is not present, the alert title is used. The alert title is defined by .
If you want alerts generated by a certain detection to be grouped separately not only from alerts generated by other detections, but also from alerts triggered by the same detection where one or more event fields have different values, you can use or (for Python and Simple Detections, respectively) to dynamically set the alert title and therefore, the deduplication string.
If you want to group alerts generated by a certain detection distinctly from alerts generated by the same detection where one or more event field values differ and you want to group the alerts based on one or more event fields that weren't used in title() or AlertTitle (or if you didn't set title() or AlertTitle at all), you can use or (for Python and Simple Detections, respectively) to set the deduplication string.
You can write rules in the Panther Console (using the or ) or locally (in or ); scheduled rules can be written in (in the Panther Console or locally).
Before you start writing a new rule, check to see if there's an existing that meets your needs. If you (or Panther) has already created a rule similar to the one you want to build, consider creating a .
Writing detections locally means creating Python and/or YAML files that define a Panther detection on your own machine. After writing detections locally, you upload the files to your Panther instance, typically via .
These instructions outline how to set up real-time rules. To configure a scheduled rule, see .
Scheduled rules are associated with one or more . If you have not yet created a scheduled search, follow the instructions first, then return to these instructions to create the scheduled rule.
We recommend doing as much data processing as is possible in SQL (i.e., in the ) in order to take advantage of database optimizations and improve rule performance.
Rule errors and scheduled rule errors are types of generated when:
If no is configured to receive rule errors (or scheduled rule errors), the alert for a rule error (or scheduled rule error) will be routed to the same destination as the one that would be used for that rule or scheduled rule's alert. See for more information.
In the event of a timeout, a is generated.
See templates for rules and scheduled rules in the .
For in-depth information on how to write detections, see and .
View this detection in full .
An alert would be generated and sent to the set of associated , which by default are based on the rule severity.
The recipient of the alert could then log into Panther to view all alert metadata and a summary of the events, as well as execute across all events to perform additional analysis.