# Using the Simple Detection Builder

## Overview

You can use the Simple Detection builder in the Panther Console to create and edit [rules](https://docs.panther.com/detections/rules) using drop-down fields. The builder lets you manage detections without writing code, but retains the benefits of detections-as-code, e.g., expressiveness, testability, CI/CD integration, and reusability.

The Simple Detection builder is part of the [Simple Detections](https://docs.panther.com/detections/..#simple-detections) feature set, which promotes collaboration among team members with all levels of technical skill. Simple Detections [constructed in the CLI workflow in YAML](https://docs.panther.com/detections/rules/writing-simple-detections), then uploaded to Panther, will be viewable and editable in the Simple Detection builder in the Console.

Rules created in the Simple Detection builder can be used in [detection derivation](https://docs.panther.com/detections/rules/derived).

See step-by-step instructions on how to create rules using the Simple Detection builder below, in [How to create a rule in the Simple Detection builder](#how-to-create-a-rule-in-the-simple-detection-builder).

{% hint style="info" %}
If your team uses the CLI workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for [Inline Filters](https://docs.panther.com/detections/rules/inline-filters) created in the Console, which will be preserved).

If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.
{% endhint %}

### Video overview

{% embed url="<https://youtu.be/GcId5sw4dps>" %}

### How to access the Simple Detection builder

To access the Simple Detection builder in the Panther console:

1. In the left-hand navigation bar of your Panther Console, click **Detections**.
2. Click **Create New**.
3. On the **Detection Builder Rule** tile, click **Start**.
4. On the create page, fill in the **Name** and **ID** for your detection:
   * **Name**: Enter a descriptive name for the rule.
   * **ID** (optional)**:** Click the pen icon and enter a unique ID for your rule.
5. In the **For the Following Source** section, select the **Log Types** this detection will apply to.\
   ![On the detection editor page, the "Log Types" dropdown in the "For the Following Source" section is opened, and circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-f6a6c446c86a8de324200b846ba79ed72f27f63f%2FScreenshot%202023-08-15%20at%209.56.21%20AM.png?alt=media)
6. In the **Detect** section, where the **Rule Builder** option is pre-selected, see the Simple Detection builder:\
   ![Under a "Detect" title, there are two tabs: Rule Builder and Text Editor.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-bd348618146b0492cfc7c80ebcfddeaa8a24bb8e%2FScreenshot%202025-06-17%20at%206.14.03%E2%80%AFPM.png?alt=media)

{% hint style="info" %}
References to "the Simple Detection builder" in this documentation are to the builder visible when **Rule Builder** is selected. The [Limitations of the Simple Detection builder](#limitations-of-the-simple-detection-builder), for example, do not apply to the **Text Editor**.

<img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-f5cbd7748efc4c8b8a01ccdee6294e4018356d39%2Fimage%20(151).png?alt=media" alt="" data-size="original">
{% endhint %}

## How to create a rule in the Simple Detection builder

You can create rules in the Simple Detection builder in the Panther Console. Learn more about rules on [Rules and Scheduled Rules](https://docs.panther.com/detections/rules).

{% hint style="info" %}
If your team uses the CLI workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for [Inline Filters](https://docs.panther.com/detections/rules/inline-filters) created in the Console, which will be preserved).

If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.
{% endhint %}

<details>

<summary>Creating a rule in the Simple Detection builder in the Console</summary>

1. Follow the instructions in [How to access the Simple Detection builder](#how-to-access-the-simple-detection-builder).
2. To the right of **Where**, click **+**. In the menu that appears select either **Add Clause** or **Add Clause Group**.\
   ![Within a "Detect" section is a toggle that has two options, "Rule Builder" and "Text Editor." "Rule Builder" is selected. There is a plus button (+) next to the word "Where." A menu is open below the plus, with options "Add Clause" and "Add Clause Group."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-04d2af9e8b2e2ebf33fd639424daa221e4b7f536%2FScreenshot%202023-08-15%20at%2010.04.47%20AM.png?alt=media)
3. For each clause (either on its own or within a group), define the logic:
   1. Click **Key**, then select an event key the condition will apply to.
   2. Click **Condition**, then select a condition.
   3. If the selected **Condition** requires an inputted value(s) (e.g., `is` or `contains`), provide a value or list of values.
4. Between each clause and clause group, ensure the correct combinator (either **and** or **or**) is selected.
5. (Optional) Once you have finished constructing your detection logic, you can view the result in raw YAML by selecting **Text Editor** in the toggle in the upper-right corner of the **Detect** section.
6. In the **Create Alert** section, set the **Create Alert** `ON/OFF` toggle. This indicates whether an [alert](https://docs.panther.com/alerts) should be created when there are matches, or only a [Signal](https://docs.panther.com/detections/signals). If you set this toggle to `ON`:
   1. Under **Required Fields**, select a **Severity**.
      * Learn more about alert severities in the [Alert severities table](https://docs.panther.com/detections/rules/..#alert-severity).
   2. Under **Optional Fields**, set the dynamic alert fields:
      * **Title**: To the right of **Change to**, click the plus (**+**), then enter a string, using curly braces where you want to dynamically substitute an event value.\
        ![Within an "Optional Fields" section, there is text reading "Default title is my simple detection." There is an arrow pointing to a box with a "Change to:" label. To its right reads, "my updated alert title - {actor.displayName} performed {eventType}](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-b0381f015c7b25f79a4321f50e5918b8b65e0811%2FScreenshot%202023-08-23%20at%204.21.53%20PM.png?alt=media)
      * **Description**: Enter additional context about the rule.
      * **Runbook**: Enter the procedures and operations relating to this rule.
        * Learn more on [Alert Runbooks](https://docs.panther.com/alerts/alert-runbooks).
      * **Reference**: Enter an external link to more information relating to this rule.
      * **Destination Overrides**: Choose destinations to receive alerts for this detection, regardless of severity. Note that destinations can also be set dynamically, in the rule function. See [Routing Order Precedence](https://docs.panther.com/alerts/destinations#routing-order-precedence) to learn more about routing precedence.
      * **Deduplication Period**: Choose a period of time over which to deduplicate events. Learn more in [Deduplication of alerts](https://docs.panther.com/detections/rules/..#deduplication-of-alerts).
      * **Events Threshold**: Enter the deduplication event threshold. Learn more in [Deduplication of alerts](https://docs.panther.com/detections/rules/..#deduplication-of-alerts).
      * **Summary Attributes**: Enter the attributes you want to showcase in the alerts that are triggered by this detection.
        * To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:\
          `<column>:<level1_element>.<level2_element>.<level3_element>`\
          The alert summary will then be generated for the referenced object in the alert. [Learn more about traversing semi-structured data in Snowflake here.](https://docs.snowflake.com/en/user-guide/querying-semistructured.html#label-traversing-semistructured-data)
        * For more information on Alert Summaries, see [Assigning and Managing Alerts](https://docs.panther.com/alerts/alert-management).
      * **Tags**: Enter custom tags to help you understand the rule at a glance (e.g., `HIPAA`.)
      * **Framework Mapping**:
        1. Click **Add New** to enter a report.
        2. Provide values for the following fields:
           * **Report Key**: Enter a key relevant to your report.
           * **Report Values**: Enter values for that report.
7. Under **Test**, in the **Unit Test** section, click **Add New** to [create a test](https://docs.panther.com/detections/testing) for the rule.
8. In the upper-right corner, click **Deploy**.

</details>

## Limitations of the Simple Detection builder

The Simple Detection builder in the Console cannot render certain YAML expressions. If you [locally write and upload Simple Detections](https://docs.panther.com/detections/rules/writing-simple-detections) using any of the below expressions, they will not be visible in the Simple Detection builder in the Console—they will be shown in raw YAML.

Below are the limitations of the Simple Detection builder:

* Only rules (not scheduled rules nor policies) can be created and/or rendered in the Simple Detection builder.
* [Absolute](https://docs.panther.com/detections/writing-simple-detections/match-expression#absolute-match-expressions), [multi-key](https://docs.panther.com/detections/writing-simple-detections/match-expression#multi-key-match-expressions), [list comprehension](https://docs.panther.com/detections/writing-simple-detections/match-expression#list-comprehension-match-expressions), and [enrichment](https://docs.panther.com/detections/writing-simple-detections/match-expression#enrichment-match-expressions) match expressions cannot be rendered in the Simple Detection builder.
  * The no-code builder can render [key/value](https://docs.panther.com/detections/writing-simple-detections/match-expression#key-value-match-expressions) and [key/values](https://docs.panther.com/detections/writing-simple-detections/match-expression#key-values-match-expressions) match expressions.
* The `OnlyOne` and `None` [combinators](https://docs.panther.com/detections/writing-simple-detections/match-expression#combinators) cannot be rendered in the Simple Detection builder.
  * The Simple Detection builder can render the `All` and `Any` combinators.
* In the **Alert Context** field, event fields of type JSON cannot be used.
* Certain [`Condition`](https://docs.panther.com/detections/writing-simple-detections/match-expression#condition) values cannot be rendered in the Simple Detection builder. The following conditions are not supported:
  * `Exists`
  * `DoesNotExist`
  * `IsNull`
  * `IsNotNull`
  * `IsIPAddress`
  * `IsIPv4Address`
  * `IsIPv6Address`
  * `AnyElement`
  * `AllElements`
  * `OnlyOneElement`
  * `NoElement`