Modifying Detections with Inline Filters
Modify an existing rule without writing code
Inline filters are in open beta as of Panther version 1.54. Please share any bug reports and feature requests with your account team.
A common use case for filters is to add an allowlist or denylist.
Filter statements are evaluated before a detection's logic. A filter must return
true(i.e., match the event) for the detection logic itself to then be run.
In both the Console and CLI workflow, filters can be grouped using
If an event does not contain the field the filter is evaluating, the filter will pass. If the field the filter is evaluating has a value of
none, the filter will return
falseon positive comparators or on comparators that don't apply, and
truefor inverse comparators.
In the Console, filters are not available during new rule creation. In the CLI workflow, you can include
InlineFilterson new rules.
While it is broadly discouraged to manage detection content using both CLI workflows and the Console simultaneously, it is possible to use Inline Filters in the Console alongside the CLI workflow. Filters created in the Console will not be overwritten or deleted when an update to detection content is made in the CLI workflow.
You can add filters to a rule from its edit page, or within an alert triggered by that rule.
From a rule's edit page
From an alert event
- 1.In the left-hand navigation bar of your Panther Console, click Build > Detections.
- 2.In the list of detections, click a rule's name to view its details page.
- 3.Within the Detect section, under Filter to only include events: and to the right of Where, click +.
- In the menu that appears, select either Add Filter or Add Filter Group.
- 4.For each filter (either on its own or within a group), define the logic:
- 1.Click Key, then select an event key the condition will apply to.
- 2.Click Condition, then select a condition.
- 3.If the selected Condition requires an inputted value(s) (e.g.,
contains), provide a value or list of values.
- 5.Between each filter and filter group, ensure the correct combinator (either and or or) is selected.
- 6.Run unit tests to ensure they pass with the added filter(s).
- 7.In the upper-right corner of the page, click Deploy to save your changes.
You can add Inline Filters to a rule directly from an event in an associated alert. This is particularly helpful if you've received a false positive alert, and want to tune the triggered detection so it won't match on similar events in the future.
- 1.In the left-hand navigation bar of your Panther Console, click Alerts.
- 2.Locate the alert whose associated rule you'd like to tune, and click its name.
- 3.On the alert's detail page, scroll down to the Event section.
- 4.In the event's JSON, hover over the indicator you'd like the new filter to target, and click the target icon.
- The Add Filter slide-out panel will open on the right-hand side of the window.
- 5.In the Add Filter slide-out panel, a new filter will be pre-populated in the following way:
- Key: defaults to the field on which you clicked the target icon in the event JSON.
- Condition: defaults to is not, assuming you would not like to receive alerts for events like this in the future.
- String: defaults to the value of the selected field in the event JSON.
- 6.Make any desired changes to the filter. All pre-populated fields (i.e., Key, Condition and String) are editable.
- 7.Locate the Unit Test section near the bottom of the panel. If the rule is not Panther-managed and you'd like to create a new unit test for the rule using the current event, click the checkbox labeled Add the current alert event as a unit test.
- The toggle labeled The detection should trigger based on the example event is editable. It defaults to No, as you are likely trying to prevent alerts like this in the future.
- 8.Click Save & Run Test.
- This runs all of the target rule's unit tests. If you created a new unit test in step 7, it is also run.
- In order for the new filter(s) to be saved, all of the rule's unit tests must pass. If any of the unit tests fail:
If the Rule Filter operator you've selected requires the value field to take in an array (such as the
is inoperator), you'll input the array values in a modal that pops up when you click into the value field.
To add values to an array:
- 1.After selecting a Key and Condition for your Filter, click into the values field.
- This will open the array input modal.
- 2.In the modal, enter the array value(s) in the input field.
- If your input is comma-delimited, check the Values entered above are comma-delimited checkbox.
- When this field is checked, the text inputted into the values field will be separated (using a comma delimiter) into multiple values. For example, entering "User 1,User 2,User 3" will result in three values added.
- If your input is not comma-delimited, leave Values entered above are comma-delimited unchecked.
- When this field is unchecked, you can add values that contain commas one at a time. For example, entering "1,000" will add just one value.
- 3.Click Add.
- 4.Repeat steps 2-3 as needed, until all values have been added to the array.
- 5.Click Apply.
Like the filters created in the Console, YAML filters are evaluated before the detection logic of a rule. If the filter returns
true, the detection logic will be executed. If the filter returns
false, the evaluation of the detection will stop, and the detection will return
A YAML filter is denoted by the
InlineFilters, list one or more match expressions. See YAML Match Expression Reference to learn how to construct different types of match expressions.
- Key: environment
InlineFilterscannot be used on scheduled rules or policies, only rules.
Conditionvalues cannot be used within
InlineFilters. Only the following values may be used:
To create an Inline Filter in the CLI workflow in either a Python or YAML rule, in the detection's YAML file, include the
InlineFiltersshould be one or more match expressions.
If a unit test fails, take the following steps:
- 1.Clone the Panther-managed rule.
- 2.Add your filter(s) to the cloned rule.
- 3.Edit the unit tests for the cloned rule so that they pass.
Refer to the below operators and value types when building out your filters in the Console.