Panther Detections contain several Python3 functions that control the analysis logic, generated alert title, event grouping, routing of alerts, and metadata overrides.
Rules are very customizable and can import from standard Python libraries or global helpers. Additional functions, variables, or classes may also be defined outside of the functions defined below for advanced use or cleaner code. Starting in version 1.24, these auxiliary functions will also be available to policies.
Read Runtime Environment to learn more about the available libraries and how to add custom or third-party ones.
Each function listed below takes a single argument of event (for rules) or resource (for policies).
Default Return Value
The generated alert title
If not defined, the Display Name, RuleID, or PolicyID is used
The string to group related events with, limited to 1000 characters
If not defined, the titlefunction output is used.
Additional context to pass to the alert destination(s)
An empty Dict
The level of urgency of the alert
INFO, LOW, MEDIUM, HIGH, or CRITICAL
The severity as defined in the detection metadata
An explanation about why the rule exists
The description as defined in the detection metadata
A reference URL to an internal document or online resource about the rule
The reference as defined in the detection metadata
A list of instructions to follow once the alert is generated
The runbook as defined in the detection metadata
The label or ID of the destinations to specifically send alerts to. An empty list will suppress all alerts.
The destinations as defined in the detection metadata