Global Helper Functions
Last updated
Was this helpful?
Last updated
Was this helpful?
A common pattern in programming is to extract repeated code into helper functions—Panther supports this pattern with the global
analysis type. Panther provides a number of , and you can also . Learn more about certain below.
Global helpers are not best suited to frequent changes. If you do need to make frequent changes, consider instead using , which support automatic syncing with S3 and don't require code changes within Panther for updates.
By default, Panther provides the following collections of built-in global helpers:
: Contains various generic and log source-specific helpers. Learn more about certain functions defined in panther_base_helpers
below, in .
: Provides caching functions. Learn more about the panther_detection_helpers
package .
While some globals require configuration, it is recommended to for any custom methods or logic that you would like to add. This reduces the chances of dealing with complex merge conflicts when updating your detection sources.
To view Panther-provided and custom helper files in the Console, in the left-hand navigation bar of your Panther Console, click Detections, then click the Helpers tab.
To create a new global in the Panther Console:
In the left-hand navigation bar of your Panther Console, click Detections.
Click the Helpers tab.
Type your Python functions, then click Create. This global can now be imported in your rules or policies.
Import global helpers using an import
statement at the top of your analysis file, then call the helper as if it were any other Python library.
For example:
deep_get()
deep_get()
can be used to return keys that are nested within Python dictionaries. This function is useful for safely returning nested keys and avoiding an AttributeError
when a key is not present.
With the following JSON, the deep_get function would return the value of result.
deep_get()
takes in an optional default
parameter. If a key is not present at the expected location or the value at that location is None
, the default value will be returned.
deep_walk()
As with deep_get()
, this traversal is safe and will avoid any exceptions or errors. In the event that a key is not present in the structure, the default value is returned.
With the following object, deep_walk()
would return the value of very_nested_key
:
Like deep_get()
, deep_walk()
takes an optional default
parameter. If a key is not present in the provided event, the key is None
, or the key is an empty list, the default value is returned instead.
Using the above example:
Unlike deep_get()
, deep_walk()
can return three distinct value classifications:
all
first
last
all
By default, deep_walk()
will return all
values for a given key. This is useful for cases where a key is duplicated in an event; however, if the number of values returned by all
is one, only that value is returned.
For example:
When using all
and returning multiple values, the elements in the list can be accessed like any other Python list.
first
To return only the first found value for a key, specify return_val="first"
.
For example:
last
To return only the last found value for a key, specify return_val="last"
.
For example:
is_ip_in_network()
is_ip_in_network()
is a function to check if an IP address is within a list of IP ranges. This function can be used with a list of known internal networks for added context to the detection.
Example:
pattern_match()
Example:
With the following JSON the pattern_match() function would return true.
An example can be found in the AWS S3 Access Error detection.
pattern_match_list()
Similar to pattern_match()
, pattern_match_list()
can check that a string matches any pattern in a given list.
Example:
With the following JSON the pattern_match_list() function would return true.
aws_strip_role_session_id()
aws_strip_role_session_id()
strips the session ID our of the arn.
Example:
With the following value, aws_strip_role_session_id()
would return arn:aws:sts::123456789012:assumed-role/demo
is_base64()
is_base64()
checks if the string is base64 encoded, and if so, returns the decoded string. If not, it returns an empty string.
get_string_set()
get_string_set
is used to get a value from a Panther-managed cache based on its key. This is useful to retrieve state between detection invocations.
put_string_set()
put_string_set
is used to store a value into a Panther-managed cache based on its key. This is useful to store state between detection invocations.
New globals can be created from the or in your Panther Console.
It is highly discouraged to make external API requests from within your detections in Panther. In general, detections are processed at a very high scale, and making API requests can overload receiving systems and cause your rules to exceed the .
In the upper right corner, click Create New.
If you decide to remove dependencies from your detections, we recommend .
deep_get()
is also available as a . For convenience, it's recommended to use that event function instead of this global helper function.
Located in .
If the key you are trying to access is nested inside a list, consider using instead.
This can be found in the detection.
deep_walk()
is also available as a . For convenience, it's recommended to use that event function instead of this global helper function.
Located in .
deep_walk()
can be used to return values associated with keys that are deeply nested in Python dictionaries, which may contain any number of dictionaries or lists. This functionality is the key differentiator between deep_walk()
and .
This can be found in the detection.
Located in .
An example can be found in the detection.
Located in .
Wrapper around for basic pattern globs. This can be used when simple pattern matching is needed without the requirement of using regex.
Located in .
An example can be found in the detection.
Located in .
An example can be found in the detection.
Located in .
See an example in the .
Located in . Learn more about the panther_detection_helpers
package .
.
Located in . Learn more about the panther_detection_helpers
package .
.