Writing Python Detections
Construct Python detections in the Console or CLI workflow
Last updated
Was this helpful?
Construct Python detections in the Console or CLI workflow
Last updated
Was this helpful?
You can write your own Python detections in the Panther Console or locally, following the . When writing Python detections, try to follow , and remember that . Rules written in Python can be used in .
You can alternatively use the in the Console to create rules, or . If you aren't sure whether to write detections locally as Simple Detections or Python detections, see the section.
It is highly discouraged to make external API requests from within your detections in Panther. In general, detections are processed at a very high scale, and making API requests can overload receiving systems and cause your rules to exceed the .
You can write a Python rule in both the Panther Console and CLI workflow.
You can write a Python scheduled rule in both the Panther Console and CLI workflow.
A local Python detection is made up of two files: a Python file and a YAML file. When a Python detection is created in the Panther Console, there is only a Python text editor (not a YAML one). The keys listed in the YAML column, below, are set in fields in the user interface.
Detection logic
Alert functions (dynamic)
Filter key
Metadata keys
Alert keys (static)
InlineFiltersApplicable to both rules and policies, each function below takes a single argument of event (rules) or resource (policies). Advanced users may define functions, variables, or classes outside of the functions defined below.
Each of the below alert functions are optional, but can add dynamic context to your alerts.
The level of urgency of the alert
In YAML: Severity key
In Console: Severity field
INFO, LOW, MEDIUM, HIGH,CRITICAL, or DEFAULT
The generated alert title
In YAML: DisplayName > RuleID or PolicyID
In Console: Name field > ID field
String
The string to group related events with, limited to 1000 characters
In Python/YAML: title() > DisplayName > RuleID or PolicyID
In Console: title() > Name field > ID field
String
Additional context to pass to the alert destination(s)
Dict[String: Any]
An explanation about why the rule exists
In YAML: Description key
In Console: Description field
String
A reference URL to an internal document or online resource about the rule
In YAML: Reference key
In Console: Reference field
String
In YAML: Runbook key
In Console: Runbook field
String
The label or ID of the destinations to specifically send alerts to. An empty list will suppress all alerts.
In YAML: OutputIds key
In Console: Destination Overrides field
List[Destination Name/ID]
severityIn some scenarios, you may need to upgrade or downgrade the severity level of an alert. The severity levels of an alert can be mapped to INFO, LOW, MEDIUM, HIGH, CRITICAL, or DEFAULT. Return DEFAULT to fall back to the statically defined rule severity.
The severity string is case insensitive, meaning you can return, for example, Critical or default, depending on your style preferences.
In the example below, if an API token has been created, a HIGH severity alert is generated—otherwise an INFO level alert is generated:
Example using DEFAULT:
titleThe title() function is optional, but it is recommended to include it to provide additional context in an alert.
In the example below, the log type, username, and a static string are sent to the alert destination. The function checks to see if the event is related the AWS.CloudTrail log type and, if so, returns the AWS Account Name.
Example:
dedupDeduplication is the process of grouping related events into a single alert to prevent receiving duplicate alerts. Events triggering the same detection that also share a deduplication string, within the deduplication period, are grouped together in a single alert. The dedup function is one way to define a deduplication string. It is limited to 1000 characters.
Example:
destinationsBy default, Alerts are sent to specific destinations based on severity level or log type event. Each Detection has the ability to override their default destination and send the Alert to one or more specific destination(s). In some scenarios, a destination override is required, providing more advance criteria based on the logic of the Rule.
Example:
A rule used for multiple log types utilizes the destinations function to reroute the Alert to another destination if the log type is "AWS.CloudTrail". The Alert is suppressed to this destination using return ["SKIP"] if the log type is not CloudTrail.
alert_contextThis function allows the detection to pass any event details as additional context, such as usernames, IP addresses, or success/failure, to the alert destination(s).
Values included in the alert context dictionary must be JSON-compliant. Examples of non-compliant values include Python's nan, inf, and -inf.
Example:
The code below returns all event data in the alert context.
runbook, reference, and descriptionThese functions can provide additional context around why an alert was triggered and how to resolve the related issue.
This would produce a runbook like the following:
Query CloudTrail activity from the new access key (AKIA5FCD6LZQR7OPYQHF) at least 2 hours after the alert was triggered and check for data access or other privilege escalation attempts using the aws_cloudtrail table.
The example below dynamically provides a link within the reference field in an alert.
get()Use get() to access a top-level event field. You can provide a default value that will be returned if the key is not found.
Example:
deep_get()Use deep_get() to return keys that are nested within Python dictionaries.
Example:
Given an event with the following structure
deep_walk()Use deep_walk() to return values associated with keys that are deeply nested in Python dictionaries, which may contain any number of dictionaries or lists. If it matches multiple event fields, an array of matches will be returned; if only one match is made, the value of that match will be returned.
Example:
lookup()lookup() takes two arguments:
The name of the Lookup Table
The Lookup Table name passed to lookup() must be as it appears on the Enrichment Providers or Lookup Tables pages in the Panther Console. This name may differ syntactically from how it appears in a search query; for example, My-Custom-LUT instead of my_custom_lut.
A Lookup Table primary key
If a match is found in the Lookup Table for the provided key, the full Lookup Table row is returned as a Python dictionary. If no match is found, None is returned.
Example using lookup():
lookup()_mocked_lookup_data_ should be structured like the following example:
If you do not specify a _mocked_lookup_data_ field in your unit test, attempts to call lookup() will return None/null.
udm()Here is how the udm() function works:
Package
Version
Description
License
jsonpath-ng
1.5.2
JSONPath Implementation
Apache v2
policyuniverse
1.3.3.20210223
Parse AWS ARNs and Policies
Apache v2
requests
2.23.0
Easy HTTP Requests
Apache v2
Lookups for event fields are not case sensitive. event.get("Event_Type") or event.get("event_type") will return the same result.
Top-level fields represent the parent fields in a nested data structure. For example, a record may contain a field called user under which there are other fields such as ip_address. In this case, user is the top-level field, and ip_address is a nested field underneath it.
Nesting can occur many layers deep, and so it is valuable to understand the schema structure and know how to access a given field for a detection.
The example below is a best practice because it leverages a get() function. get() will look for a field, and if the field doesn't exist, it will return None instead of an error, which will result in the detection returning False.
In the example below, if the field exists, the value of the field will be returned. Otherwise, False will be returned:
Bad practice example
The rule definition below is bad practice because the code is explicit about the field name. If the field doesn't exist, Python will throw a KeyError:
Example:
AWS CloudTrail logs nest the type of user accessing the console underneath userIdentity. Here is a snippet of a JSON CloudTrail root activity log:
See how to check the value of type safely using both forms of deep_get():
You may want to know when a specific event has occurred. If it did occur, then the detection should trigger an alert. Since Panther stores everything as normalized JSON, you can check the value of a field against the criteria you specify.
For example, to detect the action of granting Box technical support access to your Box account, the Python below would be used to match events where the event_type equals ACCESS_GRANTED:
If the field is event_type and the value is equal to ACCESS_GRANTED then the rule function will return true and an Alert will be created.
You may need to compare the value of a field against integers. This allows you to use any of Python’s built-in comparisons against your events.
For example, you can create an alert based on HTTP response status codes:
Reference:
Example:
References:
The and keyword is a logical operator and is used to combine conditional statements. It is often required to match multiple fields in an event using the and keyword. When using and, all statements must be true:
"string_a" == "this"and"string_b" == "that"
Example:
To track down successful root user access to the AWS console you need to look at several fields:
The or keyword is a logical operator and is used to combine conditional statements. When using or, either of the statements may be true:
"string_a" == "this" or "string_b" == "that"
Example:
This example detects if the field contains either Port 80 or Port 22:
Comparing event values against a list (containing, for example, IP addresses or users) is quick in Python. It's a common pattern to set your rule logic to not match when an event value also exists in the list. This can help reduce false positives for known behavior in your environment.
When checking whether event values are in some collection, it's recommended to use a Python set—sets are more performant (i.e., memory efficient) than lists and tuples in Python. Lists and tuples, unlike sets, require iterating through each item in the collection to check for inclusion.
If the set against which you're performing the comparison is static, it's recommended to define it at the global level, rather than inside the rule() function. Global variables are initialized only once per Lambda invocation. Because a single Lambda invocation can process multiple events, a global variable is usually more efficient than initializing it each time rule() is invoked.
Example:
In the example below, we use the Panther helper pattern_match_list:
If you want to match against events using regular expressions - to match subdomains, file paths, or a prefix/suffix of a general string - you can use regex. In Python, regex can be used by importing the re library and looking for a matching value.
In the example below, the regex pattern will match Administrator or administrator against the nested value of the privilegeGranted field.
In the example below, we use the Panther helper pattern_match:
References:
Required fields are in bold.
Field Name
Description
Expected Value
AnalysisType
Indicates whether this analysis is a rule, scheduled_rule, policy, or global
Rules: rule
Scheduled Rules: scheduled_rule
Enabled
Whether this rule is enabled
Boolean
FileName
The path (with file extension) to the python rule body
String
RuleID
The unique identifier of the rule
String
Cannot include %
LogTypes
The list of logs to apply this rule to
List of strings
Severity
What severity this rule is
One of the following strings: Info, Low, Medium, High, or Critical
ScheduledQueries (field only for Scheduled Rules)
The list of Scheduled Query names to apply this rule to
List of strings
CreateAlert
Boolean
Description
A brief description of the rule
String
DedupPeriodMinutes
The time period (in minutes) during which similar events of an alert will be grouped together
15,30,60,180 (3 hours),720 (12 hours), or 1440 (24 hours)
DisplayName
A friendly name to show in the UI and alerts. The RuleID will be displayed if this field is not set.
String
OutputIds
Static destination overrides. These will be used to determine how alerts from this rule are routed, taking priority over default routing based on severity.
List of strings
Reference
The reason this rule exists, often a link to documentation
String
Reports
A mapping of framework or report names to values this rule covers for that framework
Map of strings to list of strings
Runbook
The actions to be carried out if this rule returns an alert, often a link to documentation
String
SummaryAttributes
A list of fields that alerts should summarize.
List of strings
Threshold
How many events need to trigger this rule before an alert will be sent.
Integer
Tags
Tags used to categorize this rule
List of strings
Tests
Unit tests for this rule.
List of maps
Required fields are in bold.
A complete list of policy specification fields:
Field Name
Description
Expected Value
AnalysisType
Indicates whether this specification is defining a policy or a rule
policy
Enabled
Whether this policy is enabled
Boolean
FileName
The path (with file extension) to the python policy body
String
PolicyID
The unique identifier of the policy
String
Cannot include %
ResourceTypes
What resource types this policy will apply to
List of strings
Severity
What severity this policy is
One of the following strings: Info, Low, Medium, High, or Critical
Description
A brief description of the policy
String
DisplayName
What name to display in the UI and alerts. The PolicyID will be displayed if this field is not set.
String
Reference
The reason this policy exists, often a link to documentation
String
Reports
A mapping of framework or report names to values this policy covers for that framework
Map of strings to list of strings
Runbook
The actions to be carried out if this policy fails, often a link to documentation
String
Suppressions
Patterns to ignore, e.g., aws::s3::*
List of strings
Tags
Tags used to categorize this policy
List of strings
Tests
Unit tests for this policy.
List of maps
Scheduled Queries: Select one or more this scheduled rule should apply to.
If all your filtering logic is already taken care of in the SQL of the associated , you can configure the rule function to simply return true for each row:
For detection templates and examples, see the
In the Create Alert section, set the Create Alert ON/OFF toggle. This indicates whether an should be created when there are matches, or only a . If you set this toggle to ON:
Severity: Select a for the alerts triggered by this detection.
To see examples of runbooks for built-in rules, see .
It's recommended to provide a descriptive runbook, as will take it into consideration.
Destination Overrides: Choose destinations to receive alerts for this detection, regardless of severity. Note that destinations can also be set dynamically, in the rule function. See to learn more about routing precedence.
Deduplication Period and Events Threshold: Enter the deduplication period and threshold for rule matches. To learn how deduplication works, see .
The alert summary will then be generated for the referenced object in the alert.
For more information on Alert Summaries, see .
In the Unit Test section, click Add New to for the rule you defined in the previous step.
Once you've clicked Save, the scheduled rule will become active. The SQL returned from the associated (at the interval defined in the query) will be run through the scheduled rule (if, that is, any rows are returned).
After you have created a rule, you can modify it using .
We advise that you start your custom detection content by creating either or a from Panther's .
We recommend grouping rules into folders based on log/resource type, e.g., suricata_rules or aws_s3_policies. You can use the repo as a reference.
Scheduled rules allow you to analyze the output of a with Python. Returning a value of True indicates suspicious activity, which triggers an alert.
When this scheduled rule is uploaded, each of the files will connect a scheduled query with a rule, and fill in the fields you would normally populate in the Panther Console will be auto-filled. See for a complete list of required and optional fields.
To learn how to create a policy, see the .
Only a rule() function and the YAML keys shown below are required for a Python rule. Additional Python alert functions, however, can make your alerts more dynamic. Additional YAML keys are available, too—see .
For more templates, see the .
Learn more about using InlineFilters in Python rules on .
Panther's detection auxiliary functions are Python functions that control analysis logic, generated alert title, event grouping, routing of alerts, and metadata overrides. Rules are customizable and can import from standard Python libraries or .
If you are using , the first event to match the detection is used as a parameter for these alert functions.
A list of instructions to follow once the alert is generated. It's recommended to provide a descriptive runbook, as will take it into consideration.
Reference:
Learn more about how an alert title is set on .
Reference:
Learn more about deduplication on .
Reference:
Reference:
It's recommended to provide a descriptive runbook, as will take it into consideration. For example:
In a Python detection, the rule() function and all take in a single argument: the event object. This event object has built-in functions to enable simple extraction of event values.
It is also possible to access a top-level field using and . Learn more about .
If the value you need to retrieve lives within a list, use instead.
This function is , but for convenience it is recommended to use this event object function.
This function is , but for convenience it is recommended to use this event object function.
The lookup() function lets you dynamically access data from and from your detections. The lookup() function may be useful if your incoming logs don't contain an exact match for a value in your Lookup Table's primary key column. You can use Python to modify an event value before passing it into lookup() to fetch enrichment data.
This lookup() function is different from "automatic" event enrichment, which happens when the value of an event field designated as a Selector exactly matches a value in the Lookup Table's primary key column. In that case, the Lookup Table data is appended to an event's p_enrichment field. Learn more in .
If you are using "automatic" enrichment in this fashion, access nested enrichment data using instead.
When are run, lookup() does not retrieve live data. To emulate the lookup functionality, add a _mocked_lookup_data_ field in the event payload of each unit test to mock the Lookup Table data. You cannot use the with lookup().
The behavior of udm() will change when Panther are removed on September 29, 2025. .
The udm() function is primarily intended to allow you to access and values, but can also be used to access event fields.
The function first checks to see if there is a key mapping defined for the value passed in to udm(). If so, the value of the Data Model is returned.
If a key is defined for the value passed in to udm(), the function returns its value and does not move on to steps 2 or 3, below. This is true even if the event being evaluated does not contain the key path defined in the Data Model mapping—in this case, null is returned.
If there is no Data Model key defined for the value passed into udm(), the function then checks to see if there is value in the event's p_udm struct with that name. If so, the Core Field value is returned.
In order for udm() to not move on to Step 3, below, the event being evaluated must contain the value passed in to udm() as a key within its p_udm struct. If a has simply been defined with the passed-in value as a key, but the event does not contain the mapping's associated field path, the event's p_udm struct will not contain the Core Field, and udm() will move on to Step 3, below.
If there is no defined or present for the value passed into udm(), the function then checks whether there is an event field with that name. If so, its value is returned.
In this case, udm() checks all event fields, even nested ones. Its behavior is analogous to .
The behavior outlined above means it is only possible to use udm() to access a value if there is not also a mapping defined with the same key. Further, it is only possible to use udm() to access an event field if there is not also a Data Model mapping defined nor a Core Field present with the same key.
Python Enhancement Proposals on how to cleanly and effectively write and style your Python code. For example, you can use to automatically ensure that your written detections all follow a consistent style.
The following Python libraries are available to be used in Panther in addition to boto3, provided by :
Before enabling new detections, it is that define scenarios where alerts should or should not be generated. Best practice dictates at least one positive and one negative to ensure the most reliability.
Basic Rules match a field’s value in the event, and a best practice to avoid errors is to leverage Python’s built-in function.
Once many detections are written, a set of patterns and repeated code will begin to emerge. This is a great use case for , which provide a centralized location for this logic to exist across all detections.
If you'd like to access a filed nested deeply within an event, use the and functions available on the event object. These functions are also represented as , but for convenience, it's recommended to use the event object version instead.
Checking the event value using the :
Checking the event value using the :
provide a way to configure a set of unified fields across all log types. By default, Panther comes with built-in Data Models for several log types. Custom Data Models can be added in the Panther Console or via the .
can only be used with log types that have an existing Data Model in your Panther environment.
Reference:
Whether the rule should generate on matches (default true)
Visit the Panther Knowledge Base to that answer frequently asked questions and help you resolve common errors and issues.