Detection Auxiliary Functions
Functions
Panther Detections contain several Python3 functions that control the analysis logic, generated alert title, event grouping, routing of alerts, and metadata overrides.
Rules are very customizable and can import from standard Python libraries or global helpers. Additional functions, variables, or classes may also be defined outside of the functions defined below for advanced use or cleaner code. Starting in version 1.24, these auxiliary functions will also be available to policies.
Read Runtime Environment to learn more about the available libraries and how to add custom or third-party ones.
Each function listed below takes a single argument of
event (for rules) or resource (for policies).Name
Description
Return Value
Default Return Value
titleThe generated alert title
StringIf not defined, the
Display Name, RuleID, or PolicyID is useddedupThe string to group related events with, limited to 1000 characters
StringIf not defined, the
titlefunction output is used.alert_contextAdditional context to pass to the alert destination(s)
Dict[String: Any]An empty
DictseverityThe level of urgency of the alert
INFO, LOW, MEDIUM, HIGH, or CRITICALThe severity as defined in the detection metadata
descriptionAn explanation about why the rule exists
StringThe description as defined in the detection metadata
referenceA reference URL to an internal document or online resource about the rule
StringThe reference as defined in the detection metadata
runbookA list of instructions to follow once the alert is generated
StringThe runbook as defined in the detection metadata
destinationsThe label or ID of the destinations to specifically send alerts to. An empty list will suppress all alerts.
List[Destination Name]The destinations as defined in the detection metadata
​
Last modified 1mo ago
Copy link