Links

Using the Simple Detection Builder

Create and edit detections without code

Overview

As part of the Simple Detections feature set, the ability to create Simple Detections in the Console builder and YAML detections in the CLI workflow is in open beta starting with Panther version 1.87, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
You can use the Simple Detection builder in the Panther Console to create and edit rules using drop-down fields. The builder lets you manage detections without writing code, but retains the benefits of detections-as-code, e.g., expressiveness, testability, CI/CD integration, and reusability.
The Simple Detection builder is part of the Simple Detections feature set, which promotes collaboration among team members with all levels of technical skill. Detections constructed in the CLI workflow in YAML, then uploaded to Panther, will be viewable and editable in the Simple Detection builder in the Console.
Rules created in the Simple Detection builder can be used in detection derivation.
See step-by-step instructions on how to create rules using the Simple Detection builder below, in How to create a rule in the Simple Detection builder.
If your team uses the CLI workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for Inline Filters created in the Console, which will be preserved).
If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.

Video overview

Limitations of the Simple Detection builder

The Simple Detection builder in the Console cannot render certain YAML expressions. If you locally develop and upload YAML detections using any of the below expressions, they will not be visible in the Simple Detection builder in the Console—they will be shown in raw YAML.
Below are the limitations of the Simple Detection builder:
  • Only YAML rules (not scheduled rules nor policies) can be created or rendered in the Simple Detection builder.
  • Absolute, multi-key, list comprehension, and enrichment match expressions cannot be rendered in the Simple Detection builder.
  • The OnlyOne and None combinators cannot be rendered in the Simple Detection builder.
    • The Simple Detection builder can render the All and Any combinators.
  • Many Condition values cannot be rendered in the Simple Detection builder. Only the following values may be used:
    • Equals
    • DoesNotEqual
    • IsGreaterThan
    • IsGreaterThanOrEquals
    • IsLessThan
    • IsLessThanOrEquals
    • Contains
    • DoesNotContain
    • StartsWith
    • EndsWith
    • IsIPAddressInCIDR
    • IsIPAddressNotInCIDR
    • CIDRContainsIPAddresses
    • CIDRDoesNotContainIPAddresses
    • IsIn
    • IsNotIn
    • IsIPAddressPublic
    • IsIPAddressPrivate
    • IsNullOrEmpty
    • IsNotNullOrEmpty

How to create a rule in the Simple Detection builder

You can create rules in the Simple Detection builder in the Panther Console. Learn more about rules on Rules and Scheduled Rules.
If your team uses the CLI workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for Inline Filters created in the Console, which will be preserved).
If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.
Creating a rule in the Simple Detection builder in the Console
  1. 1.
    In the left-hand navigation bar of your Panther Console, click Build > Detections.
  2. 2.
    Click Create New.
  3. 3.
    In the Select Detection Type modal, choose Rule.
  4. 4.
    On the create page, fill in the Name and ID for your detection:
    • Name: Enter a descriptive name for the rule.
    • ID (optional): Click the pen icon and enter a unique ID for your rule.
  5. 5.
    In the For the Following Source section, select the Log Types this detection will apply to.
    On the detection editor page, the "Log Types" dropdown in the "For the Following Source" section is opened, and circled.
  6. 6.
    In the Detect section, under How do you want to define your logic? click Simple Detection Builder.
    In the Detect section of the detection editor, there are two rectangular boxes with options: Simple Detection Builder and Python Editor
    • The no-code detection builder will appear.
  7. 7.
    To the right of Where, click +. In the menu that appears select either Add Clause or Add Clause Group.
    Within a "Detect" section is a toggle that has two options, "Rule Builder" and "Text Editor." "Rule Builder" is selected. There is a plus button (+) next to the word "Where." A menu is open below the plus, with options "Add Clause" and "Add Clause Group."
  8. 8.
    For each clause (either on its own or within a group), define the logic:
    1. 1.
      Click Key, then select an event key the condition will apply to.
    2. 2.
      Click Condition, then select a condition.
    3. 3.
      If the selected Condition requires an inputted value(s) (e.g., is or contains), provide a value or list of values.
  9. 9.
    Between each clause and clause group, ensure the correct combinator (either and or or) is selected.
  10. 10.
    (Optional) Once you have finished constructing your detection logic, you can view the result in raw YAML by selecting Text Editor in the toggle in the upper-right corner of the Detect section.
  11. 11.
    In the Set Alert Fields section, under Required Fields, select a Severity.
    • You can optionally configure the severity of the generated alert to be dynamically set based on the content of the event that triggered the alert. To do so:
      1. 1.
        Click Add Severity.
      2. 2.
        To the right of Change to, select a Severity.
      3. 3.
        To the right of if, click the plus icon (+), then define a condition under which this severity should be used:
        1. 1.
          Click Key, then select an event key the condition will apply to.
        2. 2.
          Click Condition, then select a condition.
        3. 3.
          If the selected Condition requires an inputted value(s) (e.g., is or contains), provide a value or list of values.
        4. 4.
          Repeat for as many conditions as desired.
          • Multiple conditions are joined by AND logic. OR logic is not supported.
      4. 4.
        Repeat for as many severities as desired.
        One line says "Severity is Critical." The next says "Change to High if p_any_usernames contains bob.boberson@example.com". There is a button that reads "Add Severity".
    • Learn more about alert severities in the Alert severities table.
  12. 12.
    Within Optional Fields, set additional dynamic alert fields if desired:
    • Title:
      1. 1.
        To the right of Change to, click the plus icon (+).
      2. 2.
        Enter a string, using curly braces where you want to dynamically substitute an event value.
        Within an "Optional Fields" section, there is text reading "Default title is my simple detection." There is an arrow pointing to a box with a "Change to:" label. To its right reads, "my updated alert title - {actor.displayName} performed {eventType}
    • Group by:
      1. 1.
        To the right of Change to group log events by, click the plus icon (+).
      2. 2.
        Select one or more event fields. Multiple fields are joined by AND logic.
        • This field sets the deduplication string for your detection. The event values from the keys provided here are joined with a colon to form the deduplication string.
        • Example:
          A "Group by" section shows, "Change to group log events by: userIdentity.userName and sourceIPAddress"
          The outputted deduplication string for the Group by configuration in the screenshot above would be:
        <value of userIdentity.userName>:<value of sourceIPAddress>
        • Learn more about deduplication, including the order of precedence for how the deduplication string is set, on Rules and Scheduled Rules.
    • Alert Context:
      1. 1.
        Under Alert Context, click the plus icon (+).
      2. 2.
        Click Key, then enter a string.
        • In the alert context dictionary passed to generated alerts, this will be a key.
      3. 3.
        Click Value, then select an event field.
        • In the alert context dictionary passed to generated alerts, the value of this event field will be a value.
      4. 4.
        Repeat to create as many pairs as you'd like.
        An "Alert Context" section shows two key value pairs, "User:userIdentity.userName" and "AWS Action: eventName"
  13. 13.
    Further down within Optional Fields, set the static alert fields:
    • Description: Enter additional context about the rule.
    • Runbook: Enter the procedures and operations relating to this rule.
    • Reference: Enter an external link to more information relating to this rule.
    • Destination Overrides: Choose destinations to receive alerts for this detection, regardless of severity. Note that destinations can also be set dynamically, in the rule function. See Routing Order Precedence to learn more about routing precedence.
    • Deduplication Period: Choose a period of time over which to deduplicate events. Learn more in Deduplication of alerts.
    • Events Threshold: Enter the deduplication event threshold. Learn more in Deduplication of alerts.
    • Summary Attributes: Enter the attributes you want to showcase in the alerts that are triggered by this detection.
    • Tags: Enter custom tags to help you understand the rule at a glance (e.g., HIPAA.)
    • Framework Mapping:
      1. 1.
        Click Add New to enter a report.
      2. 2.
        Provide values for the following fields:
        • Report Key: Enter a key relevant to your report.
        • Report Values: Enter values for that report.
  14. 14.
    Within Test, in the Unit Test section, click Add New to create a test for the rule.
  15. 15.
    In the upper-right corner, click Deploy.