V2 Detections
Configure detections fully in Python
Overview
V2 detections are in closed beta starting with Panther version 1.108. Please share any bug reports and feature requests with your Panther support team.
V2 detections are Panther’s evolved approach to detections-as-code. In this framework, detections are defined fully in Python, enabling component reusability and simple rule overrides. The foundation of v2 detections is the Panther-managed pypanther Python library.
Key features
An entirely Python-native experience for importing, writing, modifying, testing, and uploading rules—eliminating the need to manage a fork or clone of panther-analysis.
The ability to apply custom configurations to Panther-managed rules through overrides, filters, and inheritance.
The ability to selectively choose the set of rules you want to include in your Panther deployment package.
Benefits
V2 detections have the following benefits:
No upstream merge conflicts: In the Python (v1) model, merge conflicts can arise when syncing your customized fork of
panther-analysiswith the upstream repository. In this v2 model, Panther-managed rules exist separately from your rule configurations, eliminating the possibility of merge conflicts.Full flexibility and composability: This feature offers complete flexibility in rule creation, enabling full modularity, composability, the ability to override any rule attribute, and full Python inheritance—all providing a customizable and user-centric experience.
First-class developer experience: Backed by a portable, open-source Python library called
pypanther, this framework provides a superior local development experience by hooking into native applications and developer workflows. This library can also be loaded into any Python environment, such as Jupyter Notebooks.
V2 vs. v1 detections
Panther has developed a tool that translates detections from v1 to v2.
V1 detections are rules created in Python as described in Writing Python Detections. V2 detections differ from v1 in the following areas:
File structure: A rule in the v1 framework requires two files: a Python file to define rule logic and dynamic alerting functions and a YAML file to set metadata. A v2 rule is written entirely in Python.
This singular rule definition in a Python class—which contains all functions, properties, and helpers—enables overrides and composability.
Process for retrieving Panther-managed detections: In v1 detections, you must periodically sync your copy of
panther-analysiswith upstream changes. With v2 detections, however, no Git syncing is required—the latest Panther-managed content is always available in thepypantherPython library.Packs: Panther-managed v1 detections are bundled in Detection Packs. In v2 detections, you can choose which detections you want to include in your Panther instance using
get_panther_rules()(or direct imports) withregister().
The same detection, Box.New.Login is defined below in both versions:
| v1 Box New Login rule | v2 Box New Login rule |
|---|---|
Limitations of v2 detections
V2 detections are currently designed for real-time rules developed in the CLI workflow.
While v2 detections are evolving rapidly, they currently have the following limitations:
(Planned) It’s not possible to define new custom Lookup Tables.
It is possible to reference data from existing custom Lookup Tables, as well as Panther-managed Enrichment Providers.
(Planned) No support for Policies, Scheduled Rules, Simple Rules, Correlation Rules.
Only rules (or “real-time rules”) are supported in the v2 framework.
(Planned) It’s not possible to use Data Replay in the CLI or Console workflows.
(Planned) It’s not possible to define your own data models.
It is possible to reference Panther-managed data models in the
pypantherlibrary, usingevent.udm().
Library version pinning and declaring custom dependencies from the repository are not supported.
It’s not possible to edit v2 detections in the Panther Console.
The CLI tool used with v2 detections,
pypanther, does not have all of the commandspanther_analysis_tooldoes.There are limitations on the functionality of the
uploadcommand. See theuploadlimitations section.
Creating v2 detections
Before writing v2 detections, you’ll need to set up your environment. See Getting started using v2 detections below.
When working with v2 detections:
A
main.pyfile controls your entire detection configuration, outlining which rules to register, override configurations, and custom rule definitions. You can either:(Recommended) Define your detections in various other files/folders, then import them into
main.pyDefine your detections in
main.py
A v2 rule is defined in a single Python file. Within it, you can import Panther-managed (or your own custom) v2 rules and specify overrides. A single Python file can define multiple detections.
All v2 rules subclass the
pypantherRuleclass or a parent class of typeRule.Rules must be registered to be tested and uploaded to your Panther instance.
All event object functions currently available in v1 detections are available in v2 detections. These include:
get(),deep_get(),deep_walk(), andudm().All alert functions available in Python (v1) detections are available in v2 detections, such as
title()andseverity(). SeeRuleauxiliary/alerting function reference.Use the
pypanthertype-ahead hints in your IDE, like searching for available rules or viewing properties of classes.
Writing a custom v2 detection from scratch
Custom v2 rules are defined in a Python class that subclasses the pypanther Rule class. In this class, you must:
Define a
rule()function(Optional) Define any of the other alert functions, like
title()ordestinations()
Define certain attributes, such as
log_types(Optional) Define additional attributes, such as
thresholdordedup_period_minutes
The id attribute is only required for a rule if you plan to register it.
See the Rule property reference section below for a full list of required and optional fields.
Importing Panther-managed rules
Panther-managed rules can be imported directly or using the get_panther_rules() function.
Panther-managed rules currently all have a -prototype suffix (e.g., AWS.Root.Activity-prototype). This is temporary, and will be removed in the future.
You may want to import Panther-managed rules (into main.py or another file) to either register them individually as-is, set overrides on them, or subclass them. You can import Panther-managed rules directly (from the pypanther.rules module) or by using the get_panther_rules() function.
To import a Panther-managed rule directly using the rules module, you would use a statement like:
The get_panther_rules() function can filter on any Rule class attribute, such as default_severity, log_types, or tag. When filtering, keys use AND logic, and values use OR logic.
Get all Panther-managed rules using get_panther_rules():
Get Panther-managed rules with certain severities using get_panther_rules():
Get Panther-managed rules for certain log types using get_panther_rules():
Get Panther-managed rules that meet multiple criteria using get_panther_rules():
See Using list comprehension for an example of how to use get_panther_rules() with advanced Python.
Once you’ve imported a Panther-managed rule, you can modify it using inheritance or overrides.
Creating include or exclude filters
V2 detection filters let you exclude certain events from being evaluated by a rule. Filters are designed to be applied on top of existing rule logic (likely for Panther-managed v2 detections you are importing).
Each filter defines logic that is run before the rule() function, and the outcome of the filter determines whether or not the event should go on to be evaluated by the rule.
Common use cases for filters include:
To target only certain environments, like
prodTo exclude events that are known false positives, due to a misconfiguration or other non-malicious scenario
There are two types of filters:
includefilters: If the filter returnsTruefor an event, the event is evaluated byrule()excludefilters: If the filter returnsTruefor an event, the event is dismissed (i.e., not evaluated byrule())
include and exclude, which can be imported from the pypanther.wrap module, can run as standalone functions or as rule class decorators.
Examples as standalone functions:
Example as rule class decorators:
Filters can also be reused with a for loop to decorate multiple rules:
Applying overrides on existing rules
If your objective is to modify a rule's logic, it's recommended to use include/exclude filters instead of overriding the rule() function itself. Learn more in Use filters instead of overriding rule().
Overriding single attributes
You can override a rule’s attributes with a one-line statement:
Overriding multiple attributes with the override function
It’s also possible to configure multi-line overrides with the override() function:
Applying overrides on multiple v2 rules
To apply overrides on multiple rules at once, iterate over the collection using a for loop.
This could be useful, for example, when updating a certain attribute for all rules associated to a certain LogType.
Ensuring necessary fields are set on configuration-required rules
Panther-managed rules that require some customer configuration before they are uploaded into a Panther environment may include a validate_config() function, which defines one or more conditions that must be met for the rule to pass the test command (and function properly).
Most commonly, validate_config() verifies that some class variable, such as an allowlist or denylist, has been assigned a value. If the requirements included in validate_config() are not met, an exception will be raised when the pypanther test command is run (if the rule is registered).
Example:
In this example, if allowed_domains is not assigned a non-empty list, an assertion error will be thrown during pypanther test.
To set this value, you can use a statement like:
Creating v2 rules with inheritance
You can use inheritance to create rules that are subclasses of other rules (that are Panther-managed or custom).
It’s recommended to use inheritance when you’re creating a collection of rules that all share a number of characteristics—for example, rule() function logic, property values, class variables, or helper functions. In this case, it’s useful to create a base rule that all related rules inherit from.
For example, it may be useful to create a base rule for each LogType, from which all rules for that LogType are extended.
Inheritance is commonly used with filters—i.e., subclassed rules can define additional criteria an event must meet in order to be processed by the rule.
If you don’t plan to register a base rule, it’s not required to provide it an id property.
Example:
Using advanced Python in v2 rule creation
Because v2 rules are fully defined in Python, you can use its full expressiveness when customizing your detections.
Calling super()
super()For more advanced use cases, you can supplement the logic in functions defined by the parent rule.
Using list comprehension
You can use Python’s list comprehension functionality to create a new list based on an existing list with condensed syntax. This may be particularly useful when you want to filter a list of detections fetched using get_panther_rules().
Registering
Registering a v2 rule means including it in your Panther deployment package.
To register a rule, pass it in to register() in your main.py file. When you run the pypanther upload or test commands, only rules passed in to register() will be uploaded to your Panther instance or tested.
If a previously uploaded rule is not passed in to register() on a subsequent invocation of upload, it will be deleted in your Panther instance.
Registering a single rule more than once (perhaps because it’s included in multiple collections, which are all passed into register()) will not result in an error.
It’s not required to register rules used as base rules with inheritance so long as you do not want the base rules themselves uploaded into your Panther instance.
Importing instances of Rule
RuleYou can use the get_rules() function to easily fetch rules you might want to register in main.py. get_rules() takes in an imported package (folder) or module (file) name, and returns all rules from that package or module that inherit the pypanther Rule class.
Each folder containing rules imported with get_rules() must contain an __init__.py file. Learn more about recommended repository structure in the V2 Detections Style Guide.
Example using get_rules():
Registering vs. enabling a rule
All rules have an enabled property, which is different from being registered. See the table below for all possible outcomes:
| enabled = True | enabled = False | |
|---|---|---|
Registered | Uploaded to Panther and enabled. Unit tests are run during testing. | Uploaded to Panther and disabled. Unit tests are run during testing. |
Not registered | Not uploaded to Panther. If uploaded previously, deleted. Unit tests are not run during testing. | Not uploaded to Panther. If uploaded previously, deleted. Unit tests are not run during testing. |
Testing v2 detections
Defining tests
Tests for v2 detections are defined by creating instances of the pypanther RuleTest class.
Each instance of RuleTest must set a name, expected_result, and log. Each test can also optionally define:
Additional fields (prepended with
expected_) that verify the output of alert functions. For example,expected_severityandexpected_title.A
mocksfield, which takes a list ofRuleMocks.
See a full list of available fields below, in RuleTest property reference.
Tests are associated with rules by assigning them to a rule’s tests field. Tests can be defined directly within a rule, or separately set to a variable (that is either local or imported).
Example
Note that this rule's tests (defined above the rule class) use mocks, expected_title, expected_dedup, and expected_alert_context.
Running tests
To run all tests defined for your v2 detections, run:
To run only a subset of tests, filter the detections for which tests are run by using a filter flag with test, such as --id or --log-types. See a full list of filter flags by running pypanther test --help.
The test command:
Only tests those detections passed into
register()Skips tests for Panther-managed rules
If any rules fail a test, the error will print next to the rule name that was tested:
Testing custom helper functions and data fixtures
The pypanther test command tests all v2 detection classes that have a tests attribute set. In addition to testing rule() and alert function output in this way, if you have created custom helper functions for use in rules, you may want to write targeted tests for these helper functions. To do this, it's recommended to use a common Python testing framework, such as pytest or unittest.
Currently, pypanther will not run these tests during pypanther test, but they can be run locally or as part of your CI/CD workflow.
Example: using pytest to test a custom function
Say you'd like to write a reusable function that reads a list of AWS account IDs from a file and filters it to include only the production ones. (This function could then be used in an include or exclude filter.) This function might look like the following:
Given this function, there are a few ways in which you may want to test both the data fixture (AWS_ACCOUNTS) itself, as well as the function is_prod_aws_account(). For instance:
To verify that the
AWS_ACCOUNTSdata fixture:Has a certain number of rows
Has a certain required field
To verify that certain account IDs are included in the
prodlist (and others are not)
To test these characteristics using pytest, you would add the following functions (all with the test_ prefix):
After you define these tests, you can invoke them by running pytest from your command line.
Uploading v2 detections to Panther
In order to use the pypanther upload functionality, it must first be enabled for you. If you would like to upload detections, please reach out to your Panther Support team.
To upload all v2 detections that are registered, run:
You must authenticate when using upload. See Authenticating CLI commands, below.
You can see all upload options by running pypanther upload -h, but may find the following options particularly useful:
--verbose: Generates verbose output, which includes a list of tests by detection (and their pass/fail statuses), a list of registered detections, and a list of included files--output {text, json}: Prints output in the provided formattextis the default value, butjsoncan be useful if you plan to port the output into another workflow
If a previously uploaded rule is not passed in to register() on a subsequent invocation of upload, it will be deleted in your Panther instance.
Uploading a v2 rule with the same id as an existing v1 rule's RuleId will overwrite it. The same is true in the other direction—i.e., uploading a v1 rule with the same RuleId as an existing v2 rule's id will overwrite it.
upload limitations
upload limitationsCurrently, the following limitations on pypanther upload apply:
A maximum of 500 rules can be uploaded at once.
The total size of the zip file
pypantherproduces for upload cannot exceed 4 MB.
Getting started using v2 detections
Panther has provided this pypanther-starter-kit repository, containing v2 detection examples, which you can clone to quickly get up and running.
Get started by following the setup instructions in the repository's README.
Rule property reference
Rule property referenceRequired properties are bolded.
| Property | Data type | Overwritten by | Default value | Description/notes |
|---|---|---|---|---|
| List[ | |||
| String | Required only for registered rules | ||
|
|
| ||
| Boolean |
| ||
| Non-negative integer |
| ||
| String |
|
| |
| String |
| ||
| Boolean |
| ||
| List[String] |
|
| |
| String |
|
| |
| Dictionary[String,List[String]] |
| ||
| String |
|
| |
| List[String] |
| ||
| List[String] |
| ||
| List[ |
| ||
| Positive integer |
|
RuleTest property reference
RuleTest property reference| Property | Data type | Default | Description |
|---|---|---|---|
| String | The name of the test case | |
| Boolean | Whether | |
| Dictionary | String | The log event that should be tested against the detection | |
| list[ |
| |
|
|
| The expected severity of the resulting alert |
| String |
| The expected title of the resulting alert |
| String |
| The expected deduplication string of the resulting alert |
| String |
| The expected runbook of the resulting alert |
| String |
| The expected reference of the resulting alert |
| String |
| The expected description of the resulting alert |
| Dictionary |
| The expected alert context of the resulting alert |
RuleMock property reference
RuleMock property reference| Property | Data type | Default |
|---|---|---|
| String | |
| Any |
|
| Any |
|
| Any |
|
Rule auxiliary/alerting function reference
Rule auxiliary/alerting function referenceRequired methods are bolded.
| Function | Data type it returns | Default value | Description/notes |
|---|---|---|---|
| Boolean | ||
|
| Value of | |
| String | Value of | |
| String | Value of | |
| List[String] | Value of | |
| String | Value of | |
| String | Value of | |
| String | Value of | |
| Dictionary |
pypanther convenience function reference
pypanther convenience function reference| Convenience function | How it works |
|---|---|
| |
| |
| See Registering |
|
pypanther CLI command reference
pypanther CLI command reference| Command | Required flag(s) | How it works | Required API permission(s) |
|---|---|---|---|
| See Running tests
To see a full list of command options, run | None | |
| Either | Lists rule attributes in a table for easy viewing To see a full list of command options, run | None |
| Gets the attributes of a single rule. Can also retrieve the original class definition
To see a full list of command options, run | None | |
| Warning: In order to use the pypanther | Bulk Upload |
Authenticating CLI commands
Certain pypanther CLI commands, like upload, require authentication with your Panther instance. This means they require a valid Panther API host URL and API token. After you locate/generate these values, you will make them visible to pypanther.
Step 1: Locate/generate your Panther API host URL and token
Panther API host URL: Follow these instructions to locate your GraphQL API URL.
Panther API token: Follow these instructions to generate an API token, being sure to attach any permissions required by the
pypanthercommands you'd like to use. See the Required API permission(s) column in the table above.
Step 2: Make API host and token values visible to pypanther
pypantherOnce you have API host and token values, you can choose how to expose them to pypanther when you are executing a CLI command. The following methods are in order of precedence, meaning option one overrides option two:
Pass the host and token on the command line using
--api-tokenand--api-host.Set the host and token as environment variables using
PANTHER_API_TOKENandPANTHER_API_HOST.
Last updated