Using the Simple Detection Builder
Create and edit detections without code
Last updated
Was this helpful?
Create and edit detections without code
Last updated
Was this helpful?
You can use the Simple Detection builder in the Panther Console to create and edit using drop-down fields. The builder lets you manage detections without writing code, but retains the benefits of detections-as-code, e.g., expressiveness, testability, CI/CD integration, and reusability.
The Simple Detection builder is part of the feature set, which promotes collaboration among team members with all levels of technical skill. Simple Detections , then uploaded to Panther, will be viewable and editable in the Simple Detection builder in the Console.
Rules created in the Simple Detection builder can be used in .
See step-by-step instructions on how to create rules using the Simple Detection builder below, in .
To access the Simple Detection builder in the Panther console:
In the left-hand navigation bar of your Panther Console, click Detections.
Click Create New.
In the Select Detection Type modal, choose Rule.
On the create page, fill in the Name and ID for your detection:
Name: Enter a descriptive name for the rule.
ID (optional): Click the pen icon and enter a unique ID for your rule.
The no-code detection builder will appear. The Rule Builder option will be pre-selected.
Below are the limitations of the Simple Detection builder:
Only rules (not scheduled rules nor policies) can be created and/or rendered in the Simple Detection builder.
The Simple Detection builder can render the All and Any combinators.
In the Alert Context field, event fields of type JSON cannot be used.
Equals
DoesNotEqual
IsGreaterThan
IsGreaterThanOrEquals
IsLessThan
IsLessThanOrEquals
Contains
DoesNotContain
StartsWith
EndsWith
IsIPAddressInCIDR
IsIPAddressNotInCIDR
CIDRContainsIPAddresses
CIDRDoesNotContainIPAddresses
IsIn
IsNotIn
IsIPAddressPublic
IsIPAddressPrivate
IsNullOrEmpty
IsNotNullOrEmpty
In the For the Following Source section, select the Log Types this detection will apply to.
In the Detect section, under How do you want to define your logic? click Simple Detection Builder.
References to "the Simple Detection builder" in this documentation are to the builder visible when Rule Builder is selected. The , for example, do not apply to the Text Editor.
You can create rules in the Simple Detection builder in the Panther Console. Learn more about rules on .
If your team uses the CLI workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for created in the Console, which will be preserved).
Follow the instructions in .
To the right of Where, click +. In the menu that appears select either Add Clause or Add Clause Group.
In the Create Alert section, set the Create Alert ON/OFF toggle. This indicates whether an should be created when there are matches, or only a . If you set this toggle to ON:
Learn more about alert severities in the .
Title: To the right of Change to, click the plus (+), then enter a string, using curly braces where you want to dynamically substitute an event value.
To see examples of runbooks for built-in rules, see .
Destination Overrides: Choose destinations to receive alerts for this detection, regardless of severity. Note that destinations can also be set dynamically, in the rule function. See to learn more about routing precedence.
Deduplication Period: Choose a period of time over which to deduplicate events. Learn more in .
Events Threshold: Enter the deduplication event threshold. Learn more in .
To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:
<column>:<level1_element>.<level2_element>.<level3_element>
The alert summary will then be generated for the referenced object in the alert.
For more information on Alert Summaries, see .
Under Test, in the Unit Test section, click Add New to for the rule.
The Simple Detection builder in the Console cannot render certain YAML expressions. If you using any of the below expressions, they will not be visible in the Simple Detection builder in the Console—they will be shown in raw YAML.
, , , and match expressions cannot be rendered in the Simple Detection builder.
The no-code builder can render and match expressions.
The OnlyOne and None cannot be rendered in the Simple Detection builder.
Many values cannot be rendered in the Simple Detection builder. Only the following values may be used:
