Data Models

Overview

Use Data Models to configure a set of unified fields across all log types, by creating between event fields for various log types and unified Data Model names. You can leverage , and .

Data Models use case

Suppose you have a detection that checks for a particular source IP address in network traffic logs, and you'd like to use it for multiple log types. These log types might not only span different categories (e.g., DNS, Zeek, Apache), but also different vendors. Without a common logging standard, each of these log types may represent the source IP using a different field name, such as ipAddress, srcIP, or ipaddr. The more log types you'd like to monitor, the more complex and cumbersome the logic of this check becomes. For example, it might look something like:

(event.get('ipAddress') == '127.0.0.1' or 
event.get('srcIP') == '127.0.0.1' or 
event.get('ipaddr') == '127.0.0.1')

If we instead define a Data Model for each of these log types, we can translate the event's field name to the Data Model name, meaning the detection can simply reference the Data Model version. The above logic then simplifies to:

event.udm('source_ip') == '127.0.0.1'

Panther-managed Data Models

By default, Panther comes with built-in Data Models for several log types, such as AWS.S3ServerAccess, AWS.VPCFlow, and Okta.SystemLog. All currently supported data models can be found in the .

The names of the supported Data Model mappings are listed in the .

How to create custom Data Models

Each log type can only have one enabled Data Model specified (however, a single Data Model can contain multiple mappings). If you want to change or update an existing Data Model, disable the existing one, then create a new, enabled one.

Evaluating whether a field exists in Path

Within a Path value, you can include logic that checks whether a certain event field exists. If it does, the mapping will be applied; if it doesn't, the mapping doesn't take effect.

  - Name: assigned_admin_role
    Path: $.events[*].parameters[?(@.name == 'ROLE_NAME')].value

Using Data Models

Referencing Data Models in a rule

To reference a Data Model field in a rule:

1. In a rule's YAML file, ensure LogTypes field contains the log type of the Data Model you'd like applied:

   Copy

   AnalysisType: rule
   DedupPeriodMinutes: 60
   DisplayName: DataModel Example Rule
   Enabled: true
   Filename: my_new_rule.py
   RuleID: DataModel.Example.Rule
   Severity: High
   LogTypes:
     # Add LogTypes where this rule is applicable
     # and a Data Model exists for that LogType
     - AWS.CloudTrail
   Tags:
     - Tags
   Description: >
     This rule exists to validate the CLI workflows of the Panther CLI
   Runbook: >
     First, find out who wrote this the spec format, then notify them with feedback.
   Tests:
     - Name: test rule
       ExpectedResult: true
       # Add the LogType to the test specification in the 'p_log_type' field
       Log: {
         "p_log_type": "AWS.CloudTrail"
       }

2. Add the log type to all the Rule's Test cases, in the p_log_type field.

3. Copy

   def rule(event):    
       # filter events on unified data model field
       return event.udm('event_type') == 'failed_login'
   
   
   def title(event):
       # use unified data model field in title
       return '{}: User [{}] from IP [{}] has exceeded the failed logins threshold'.format(
           event.get('p_log_type'), event.udm('actor_user'),
           event.udm('source_ip'))

Using Data Models with Enrichment

Panther provides a built-in method on the event object called event.udm_path(). It returns the original path that was used for the Data Model.

AWS.VPCFlow logs example

In the example below, calling event.udm_path('destination_ip') will return 'dstAddr', since this is the path defined in the Data Model for that log type.

from panther_base_helpers import deep_get

def rule(event):
    return True

def title(event):
    return event.udm_path('destination_ip')

def alert_context(event):
    enriched_data = deep_get(event, 'p_enrichment', 'lookup_table_name', event.udm_path('destination_ip'))
    return {'enriched_data':enriched_data}

To test this, we can use this test case:

{   
  "p_log_type": "AWS.VPCFlow",
   "dstAddr": "1.1.1.1",
   "p_enrichment": {
      "lookup_table_name": {
        "dstAddr": {
          "datakey": "datavalue" }}}}

The test case returns the following alert, with Alert Context containing the value of dstAddr (or {"datakey": "datavalue"}) as the value of enriched_data.

Testing Data Models

DataModel specification reference

A complete list of DataModel specification fields:

DataModel Mappings

Mappings translate LogType fields to unified Data Model fields. Each Mappings entry must define:

• Name: How you will reference this data model in detections.

• One of:

  • Method: The name of the method. The method must be defined in the file listed in the data model specification Filename field.

Example:

Mappings:
  - Name: source_ip
    Path: srcIp
  - Name: user
    Path: $.events[*].parameters[?(@.name == 'USER_EMAIL')].value
  - Name: event_type
    Method: get_event_type

Panther-managed Data Model mapping names