Writing Simple Detections
Construct YAML detections in the CLI workflow
Overview
Simple Detections can be created in the CLI workflow in YAML, in addition to being created in the Simple Detection Builder in the Console.
Simple Detections created in the CLI workflow, then uploaded to Panther, can be viewed and edited in the Simple Detection builder in the Console. This may be valuable if members of your team have varying levels of experience with YAML.
Simple detections can be used in detection derivation.
If you aren't sure whether to write detections locally as Simple Detections (in YAML) or Python detections, see the Using Python vs. Simple Detections YAML section.
If your team uses the CLI workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for Inline Filters created in the Console, which will be preserved).
If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.
Limitations of Simple Detections YAML
Scheduled rules and policies cannot be created as Simple Detections.
Only rules can be created in YAML.
Panther-managed Simple Detections are not yet available.
It is possible, however, to use Panther-managed Python detections alongside your own Simple Detections.
Many helper functions available in Python, including those for specific log sources, are not represented in YAML.
Some global helpers have been converted into YAML keys, e.g.,
deep_get()
isDeepKey
.
It is not possible to make external API calls in Simple Detections, including to fetch values from your Dynamo KV store to use caching.
How to create a Simple Detection (rule) in YAML
Simple Detection YAML syntax
Each custom Simple Detection can be composed of:
Detection key
Filter key
Metadata keys
Alert keys (dynamic)
Alert keys (static)
Learn more about each of these keys, including which are required and optional, in the Simple Detection rule specification reference below.
Detection
Detection
Within the Detection
key, include one or more match expressions.
InlineFilters
InlineFilters
Learn more about using InlineFilters
in Simple Detections on Modifying Detections with Inline Filters.
Dynamic alert keys in Simple Detections
Alert fields are fields in a Simple Detection definition that are applicable to the alerts generated by that detection.
Alert fields can be static or dynamic. With static alert fields, you provide a set value in the detection definition, which does not change based on the incoming event. Dynamic alert fields, however, can use information in the event to determine the value.
If you are using alert deduplication, the first event to match the detection is used by these alert keys.
DynamicSeverities
DynamicSeverities
Use DynamicSeverities
to dynamically set the severity of an alert generated by a match on this detection. This field is dynamic because you can use values from the event to determine the severity.
When DynamicSeverities
is present, its value overrides the value of the Severity
key. Severity
is still required, and its value will be the fallback value if there are no matches on any of the match expressions contained within DynamicSeverities
.
Within the DynamicSeverities
key, include one or more ChangeTo
keys, each with a corresponding Conditions
key. The value of ChangeTo
should be one of the alert severities. The ChangeTo
blocks are evaluated in order, from top to bottom, and evaluation stops once a match has been found.
Within Conditions
, include one or more match expressions. The Conditions
list has the following limitations:
No list comprehension, multi-key, or absolute match expressions may be used.
No combinators may be used.
Example:
AlertTitle
AlertTitle
Use AlertTitle
to dynamically set the title of an alert generated by a match on this detection. This field is dynamic because you can use values from the event in the title.
The value of AlertTitle
should be a string. You can reference event values by using curly braces. Inside the curly braces, use JSON path syntax.
Example:
AlertContext
AlertContext
AlertContext
lets you identify event data to pass onto generated alerts, formatted as a dictionary.
Within AlertContext
, include one or more KeyName
and KeyValue
pairs. KeyName
takes a string of your choice, which will become the key in the alert context dictionary. Within KeyValue
, use a key specifier to indicate an event key—its value will be the value in the alert context dictionary.
KeyValue
values must be JSON-compliant. Examples of non-compliant values include Python's nan
, inf
, and -inf
.
Example:
GroupBy
GroupBy
GroupBy
sets the deduplication string for your detection. Learn more about deduplication, including the order of precedence for how the deduplication string is set, on Rules and Scheduled Rules.
Within the GroupBy
key, include a list of one or more event keys defined with key specifiers.
Example:
The values of the keys provided under GroupBy
are joined with a colon to form the deduplication string. The outputted deduplication string for the above example would be:
Simple Detection rule specification reference
The table below contains all available YAML keys for Simple Detections. Required fields are in bold.
If you are writing a Python rule, instead see the Python rule specification reference.
Field Name
Description
Expected Value
AnalysisType
Indicates whether this analysis is a rule, scheduled_rule, policy, or global
rule
Enabled
Whether this rule is enabled
Boolean
RuleID
The unique identifier of the rule
String
LogTypes
The list of logs to apply this rule to
List of strings
Severity
One of the following strings: Info
, Low
, Medium
, High
, or Critical
This field is overwritten by DynamicSeverities
, but is required even if DynamicSeverities
is defined
CreateAlert
Boolean
Detection
The list of match expressions to apply to the event data
Description
A brief description of the rule
String
Set of event values that will be used to deduplicate alerts by
List of event keys
DedupPeriodMinutes
The time period (in minutes) during which similar events of an alert will be grouped together
15
,30
,60
,180
(3 hours),720
(12 hours), or 1440
(24 hours)
DisplayName
A user-friendly name to show in the Panther Console and alerts. The RuleID
will be displayed if this field is not set.
String
OutputIds
Static destination overrides. These will be used to determine how alerts from this rule are routed, taking priority over default routing based on severity.
List of strings
Reference
The reason this rule exists, often a link to documentation
String
Reports
A mapping of framework or report names to values this rule covers for that framework
Map of strings to list of strings
Runbook
The actions to be carried out if this rule returns an alert, often a link to documentation
String
SummaryAttributes
A list of fields that alerts should summarize.
List of strings
Threshold
How many events need to trigger this rule before an alert will be sent.
Integer
Tags
Tags used to categorize this rule
List of strings
Tests
Unit tests for this rule
List of maps
InlineFilters
An alternate DisplayName
that can use event values to create a dynamic title for alerts
String
Event values to add to the Event under custom keys to create a dynamic alert context
List of key name and key value pairs
Last updated