# Simple Detection Error Codes ## Overview Error codes from the [Simple Detections](https://docs.panther.com/detections/..#simple-detections) model are stable, meaning they do not change over time and are formatted consistently. Error codes have 10 characters, and each character group represents something different. To demonstrate this, take the error code `SD00100001`. It is broken down as follows: * First and second characters: Always `SD` * Third, fourth, and fifth characters: Represent the category: `001` - general * Sixth through tenth characters: Unique error code: `00001` - no rule specified ## 001 errors: general

Error code	Description
SD00100001	This error code is returned when a rule is not specified in the provided Simple Detections YAML. For example, if a Simple Detections YAML file has a top level key of `Detection` but there's no content under it. `AnalysisType: rule RuleID: Test.MultiMatch.Key DisplayName: a simple test of Multi-key match expressions Severity: High Enabled: true LogTypes: - Panther.Audit Detection:`
SD00100002	This error code is returned when a file could not be read at the specified path.
SD00100003	This error code is returned when an unexpected type is encountered. This usually happens when you try to use a `Condition` like `IsLessThanOrEquals` with a non-numeric value.
SD00100004	This error code is returned when a `Condition` expected an integer value but got something else.
SD00100005	This error code is returned when a `Condition` expected a float value but got something else.
SD00100006	This error code is returned when a `Condition` expected a boolean value but got something else.
SD00100007	This error code is returned when a `Condition` expected a string value but got something else.

## 002 errors: unmarshaler

Error code	Description
SD00200001	This error code is returned when a YAML file could not be unmarshaled. This most often occurs when the YAML file is malformed.
SD00200002	This error code is returned when a YAML node could not be unmarshaled. This most often occurs when the `Condition` is invalid or the match expression is malformed.
SD00200003	This error code is returned when the key specifier is invalid. This occurs when: A multi-key match expression has a malformed entry under the `Values` key: `- Condition: Equals Values: # This first list element is invalid. It cannot have both Key and KeyPath. - Key: abc KeyPath: a.b.c - Key: def` A `GroupBy` statement has a malformed entry under the `GroupBy` key: `GroupBy: # This first list element is invalid. It cannot have both Key and KeyPath. - Key: abc KeyPath: a.b.c - Key: def` An `AlertContext` has a malformed entry in the `Value` that specifies which key's context to capture: `AlertContext: - Key: my.alert.context.key # The following Value field is invalid - you can only specify a single Key Specifier (Key, DeepKey, or KeyPath) Value: Key: p_any_ip_addresses KeyPath: p_any_ip_addresses`
SD00200004	This error code is returned when the YAML match expression for an existence `Condition` is malformed. Usually, this occurs when a `Value` or `Values` key is specified in the YAML: `- Key: abc Condition: Exists Value: someInvalidString # This Value key is invalid.`
SD00200005	This error code is returned when, after we finish unmarshaling the YAML, the resulting struct is invalid. Simple Detections runs a number of validations at this stage, including: Validation that the specified key specifier format is correct Validation that absolute Conditions (`AlwaysTrue`, `AlwaysFalse`) are only used with absolute match expressions Validation that a specified `KeyPath` is using valid syntax Validation that a specified `Key` is using valid syntax

## 003 errors: core

Error code	Description
SD00300001	This error is returned when a Simple Detection Rule Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300002	This error is returned when a Simple Detection Filter Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300003	This error is returned when Simple Detections was able to unmarshal the provided YAML but was unable to create a valid Simple Detections data model. This error should rarely occur, but if it does, it is likely due to a bug in the Simple Detections data models.
SD00300004	This error is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the constructed match expression. Validations that are run on constructed match expressions include, by type: Existence conditions: only a key specifier and `Condition` are provided Absolute conditions: only a `Condition` is provided Scalar conditions: a key specifier, `Condition,` and `Value` are provided List conditions: a key specifier, `Condition`, and `Values` are provided Multi-key match expressions: `Condition` and `Values` are provided List comprehension conditions: a key specifier, `Condition`, and `Expressions` are provided `Expressions` contains: One or more nested list comprehensions, i.e., a list comprehension calling another list comprehension One or more simpler (i.e., not list comprehension) match expressions
SD00300005	This error code is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the `GroupBy` statement. Validations that are run on the `GroupBy` statement include: At least one key specifier is provided
SD00300006	This error code is returned when a Simple Detection `GroupBy` Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300007	This error code is returned when a Match Expression was expected to be a list comprehension but is not a list comprehension. This is most commonly returned when: A dynamic severity is specified List comprehensions are not allowed in `DynamicSeverities` A list comprehension is attempted to be used in an Inline Filter List comprehensions are not allowed in `InlineFilters`
SD00300008	This error code is returned when a Simple Detection Alert Context Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300009	This error code is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the `AlertContext` statement. Validations that are run on the `AlertContext` statement include: A minimum of one (1) key/value pair is provided if `AlertContext` is specified
SD00300010	This error code is returned when Simple Detections was unable to validate the provided `AlertTitle`. Validations that are run on the `AlertTitle` include: The `AlertTitle` is not empty
SD00300011	This error code is returned when a Simple Detection `AlertTitle` Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300012	This error code is returned when a Simple Detection Dynamic Severities Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300013	This error code is returned when a Dynamic Severity is specified but has no conditions: `DynamicSeverities: - ChangeTo: CRITICAL Conditions: []`
SD00300014	This error code is returned when Simple Detections was able to create the Dynamic Severities Data Model, but was unable to validate it. Validations that are run on the Dynamic Severities include: If `DynamicSeverities` is specified, at least one Dynamic Severity is specified No list comprehensions are used in the `Conditions` No combinators are used in the `Conditions` (e.g. `Any`, `All`, `OnlyOne`, `None`) No Absolute Conditions are used in the `Conditions` No multi-key match expressions are used in the `Conditions`

## 004 errors: transpiler

Error code	Description
SD00400001	This error code is returned when a match expression could not be converted to Python. See the "Inner Error" for additional details.
SD00400002	This error code is returned when a match expression could not be converted to a Python comment. This is unlikely to occur and is probably a bug in Simple Detections.
SD00400003	This error code is returned when Simple Detections was able to convert all of the match expressions under the `Detection` key into Python, but was unable to construct the full Python rule. This is unlikely to occur and is probably a bug in Simple Detections.
SD00400004	This error code is returned when a Match Expression is not yet supported for transpilation to Python. This is unlikely to occur and is probably a bug in Simple Detections.
SD00400013	This error code is returned when a Correlation rule could not be converted properly. Only relevant to Correlations Detections.

## 005 errors: filters

Error code Description

SD00500001

Error code	Description
SD00500001	This error code is returned when a match expression could not be converted to an Inline Filter. See the "Inner Error" for additional details. Most commonly, this occurs when the provided Match Expression uses an unsupported Match Expression form or `Condition` for Inline Filters. Inline Filters only support the following conditions: `Equals` `DoesNotEqual` `IsGreaterThan` `IsGreaterThanOrEquals` `IsLessThan` `IsLessThanOrEquals` `Contains` `DoesNotContain` `StartsWith` `EndsWith` `IsIPAddressInCIDR` `IsIPAddressNotInCIDR` `CIDRContainsIPAddresses` `CIDRDoesNotContainIPAddresses` `IsIn` `IsNotIn` `IsIPAddressPublic` `IsIPAddressPrivate` `IsNullOrEmpty` `IsNotNullOrEmpty` Inline Filters only support the following Match Expression forms: Key/value Key/values Existence
SD00500002	This error code is returned when a Inline Filter could not be converted to a match expression. This is unlikely to occur and is probably a bug in Simple Detections.

This error code is returned when a match expression could not be converted to an Inline Filter. See the "Inner Error" for additional details. Most commonly, this occurs when the provided Match Expression uses an unsupported Match Expression form or Condition for Inline Filters.

Inline Filters only support the following conditions:

Equals
DoesNotEqual
IsGreaterThan
IsGreaterThanOrEquals
IsLessThan
IsLessThanOrEquals
Contains
DoesNotContain
StartsWith
EndsWith
IsIPAddressInCIDR
IsIPAddressNotInCIDR
CIDRContainsIPAddresses
CIDRDoesNotContainIPAddresses
IsIn
IsNotIn
IsIPAddressPublic
IsIPAddressPrivate
IsNullOrEmpty
IsNotNullOrEmpty

Inline Filters only support the following Match Expression forms:

SD00500002 This error code is returned when a Inline Filter could not be converted to a match expression. This is unlikely to occur and is probably a bug in Simple Detections.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/detections/rules/writing-simple-detections/simple-detection-error-codes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.