Modifying Detections with Inline Filters
Modify an existing rule without writing code
Overview
Inline filters are in open beta as of Panther version 1.54. Please share any bug reports and feature requests with your account team.
You can easily tune existing rules, including Panther-managed rules, by adding Inline Filters. An Inline Filter is a condition that must pass in order for the detection logic to then be run. Inline Filters are available only on rules, not scheduled rules nor policies.
In the Panther Console, you can create Inline Filters using a no-code builder. In the CLI workflow, you can create Inline Filters by adding the InlineFilters
YAML key.
A common use case for filters is to add an allowlist or denylist.
How Inline Filters work
Filter statements are evaluated before a detection's logic. A filter must return true
(i.e., match the event) for the detection logic itself to then be run.
In both the Console and CLI workflow, filters can be grouped using AND
or OR
logic.
If an event does not contain the field the filter is evaluating, the filter will pass. If the field the filter is evaluating has a value of none
, the filter will return false
on positive comparators or on comparators that don't apply, and true
for inverse comparators.
In the Console, filters are not available during new rule creation. In the CLI workflow, you can include InlineFilters
on new rules.
While it is broadly discouraged to manage detection content using both CLI workflows and the Console simultaneously, it is possible to use Inline Filters in the Console alongside the CLI workflow. Filters created in the Console will not be overwritten or deleted when an update to detection content is made in the CLI workflow.
Creating filters in the Panther Console
You can add filters to a rule from its edit page, or within an alert triggered by that rule.
Add filters from a rule's edit page
In the left-hand navigation bar of your Panther Console, click Build > Detections.
In the list of detections, click a rule's name to view its details page.
Within the Detect section, under Filter to only include events: and to the right of Where, click +.
For each filter (either on its own or within a group), define the logic:
Click Key, then select an event key the condition will apply to.
To indicate a nested field, use JSON path notation.
Some options may include
[*]
, indicating the key is an array of objects. Learn more about indexing an array of objects below.
Click Condition, then select a condition.
If the selected Condition requires an inputted value(s) (e.g.,
is
orcontains
), provide a value or list of values.If the values(s) field takes in an array, see the Inputting array values instructions below.
Between each filter and filter group, ensure the correct combinator (either and or or) is selected.
Run unit tests to ensure they pass with the added filter(s).
In the upper-right corner of the page, click Deploy to save your changes.
Inputting array values
If the Rule Filter operator you've selected requires the value field to take in an array (such as the is in
operator), you'll input the array values in a modal that pops up when you click into the value field.
To add values to an array:
After selecting a Key and Condition for your Filter, click into the values field.
This will open the array input modal.
In the modal, enter the array value(s) in the input field.
If your input is comma-delimited, check the Values entered above are comma-delimited checkbox.
When this field is checked, the text inputted into the values field will be separated (using a comma delimiter) into multiple values. For example, entering "User 1,User 2,User 3" will result in three values added.
If your input is not comma-delimited, leave Values entered above are comma-delimited unchecked.
Click Add.
Repeat steps 2-3 as needed, until all values have been added to the array.
Click Apply.
Indexing an array of objects
While creating a filter expression, if there is an event key whose value is an array of objects, that key will be shown in the dropdown selector with the array indexing symbol [*]
, along with the fields in the object. You can use [*]
to target the selected field in all objects in the array, or replace *
with an integer to index the array, targeting a single field.
Example
It will be represented in the event field selector as:
By default, Panther applies a wildcard array index ([*]
) that will search across values for the chosen field in all objects in the array. When [*]
is used, an array of these values is created and searched. Because of this, only the array conditions are available: is empty
, is not empty
, contains
, does not contain
.
For example, the below filter expression (resources[*].type
contains
AWS::IAM::Role
) means an event will match if any value of type
in the resources
array is AWS::IAM::Role
.
However, you can replace the *
with an integer to index the array, which specifies a single object in the array. In this case, Panther will only evaluate the value of the nested field at that index.
The conditions shown will be updated to those which are applicable to the data type of the nested field chosen:
Creating filters in the CLI workflow
In addition to creating no-code rule filters in the Panther Console, you can also create YAML filters on your rules written as Simple Detections or Python detections.
Like the filters created in the Console, YAML filters are evaluated before the detection logic of a rule. If the filter returns true
, the detection logic will be executed. If the filter returns false
, the evaluation of the detection will stop, and the detection will return false
altogether.
YAML InlineFilter
syntax
InlineFilter
syntaxA YAML filter is denoted by the InlineFilters
key. Within InlineFilters
, list one or more match expressions. See Simple Detection Match Expression Reference to learn how to construct different types of match expressions.
Example:
Limitations of YAML Inline Filters
Some match expression functionality described in Simple Detection Match Expression Reference is not possible in InlineFilters
. These limitations include:
InlineFilters
cannot be used on scheduled rules or policies, only rules.The following match expression types cannot be used within
InlineFilters
:The
Key
andDeepKey
key specifiers cannot be used withinInlineFilters
—onlyKeyPath
may be used.The
OnlyOne
andNone
combinators cannot be used withinInlineFilters
—onlyAll
andAny
may be used.Many
Condition
values cannot be used withinInlineFilters
. Only the following values may be used:Equals
DoesNotEqual
IsGreaterThan
IsGreaterThanOrEquals
IsLessThan
IsLessThanOrEquals
Contains
DoesNotContain
StartsWith
EndsWith
IsIPAddressInCIDR
IsIPAddressNotInCIDR
CIDRContainsIPAddresses
CIDRDoesNotContainIPAddresses
IsIn
IsNotIn
IsIPAddressPublic
IsIPAddressPrivate
IsNullOrEmpty
IsNotNullOrEmpty
How to create an Inline Filter in the CLI workflow
To create an Inline Filter in the CLI workflow on a rule created as either a Python or Simple Detection, in the detection's YAML file, include the InlineFilters
key. Within InlineFilters
, include one or more match expressions.
Working with failed unit tests with filters
For Panther-managed rules with filters, you currently cannot add or edit unit tests. You cannot save a rule if the unit test does not pass.
If a unit test fails, take the following steps:
Clone the Panther-managed rule.
Add your filter(s) to the cloned rule.
Edit the unit tests for the cloned rule so that they pass.
Inline filter reference
Refer to the below operators and value types when building out your filters in the Console.
Supported Console operators
Supported value types
Last updated