Rules and Scheduled Rules
Panther's rules and scheduled rules are Python functions that detect suspicious activity in logs, then generate alerts
Last updated
Was this helpful?
Panther's rules and scheduled rules are Python functions that detect suspicious activity in logs, then generate alerts
Last updated
Was this helpful?
Rules and scheduled rules are Python functions through which log data is run to detect suspicious activity and generate alerts. Rules and scheduled rules apply to logs, while apply to cloud resource configurations. Panther provides a number of , which are already written and continuously updated.
Common examples of rules include analyzing logs for:
Authentication from unknown or unexpected locations
Sensitive API calls, such as administrative changes to SaaS services
Network traffic access to sensitive data sources, such as databases or virtual machines
New, suspicious entries added into a system's scheduled tasks, like cron
Alerts generated from NIDS, HIDS, or other security systems
Both rules and scheduled rules have a Python rule function through which log events are run, but rules analyze real-time events, while scheduled rules analyze events queried from your data lake.
Rules
Rules, sometimes referred to as real-time rules, are the default mechanism of analyzing data sent to Panther. Rules work by accepting a defined set of log types such as Okta, Box, or your own . Rules have the benefit of low-latency detection and alerting.
Use cases: High-signal logs that do not require joins with other data.
Scheduled rules
Scheduled rules work by accepting individual rows output from an associated .
Use cases: Querying windows of time further in the past, running statistical analysis over data, or joining separate data streams.
Rules and scheduled rules each analyze one event at a time. They use event thresholds and de-duplication to create event grouping within windows of time. At a minimum, each rule and scheduled rule must contain a rule function. Rules and scheduled rules can also contain title, dedup, alert_context, and severity functions.
Events triggering the same detection within its deduplication period that also share a deduplication string will be grouped together in a single alert.
Each rule and scheduled rule has a default event threshold of 1 and deduplication period of 1h. This means all events returning True from the rule function (with the same deduplication string) will be grouped into a single alert within the hour after first being generated.
A rule or scheduled rule with an event threshold of 5 and deduplication period of 15m would not trigger an alert until five or more events (with the same deduplication string) passed into the rule function returned True within a 15-minute time period.
The order of precedence for setting the deduplication string is as follows:
Ifdedup is not defined, the output of the detection's title function is used.
If title is not defined, the detection's ID is used.
The deduplication period is not affected by changing the status of an alert. This means, for example, events will continue to be grouped into the same alert for the length of the deduplication period even if an alert's status is changed to Resolved.
Note: Anything printed to stdout or stderr by your Python code will end up in CloudWatch. For SaaS/CPaaS customers, Panther engineers can see these CloudWatch logs during routine application monitoring.
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click Create New.
On the New Detection page, select Rule for the detection type.
In the Basic Info section, provide values for the following fields:
Name: Enter a descriptive name for the rule.
ID (optional): Click the pen icon and enter a unique ID for your rule.
In the upper-right corner, click Continue.
On the next page, configure your rule:
In the upper-right corner, the Enabled toggle will be set to ON by default. If you'd like to disable the rule, flip the toggle to OFF.
In the For the Following Source section:
Log Types: Select the log types this rule should apply to.
In the Detect section:
In the Rule Function text editor, write a Python rule function to define your detection.
In the Set Alert Fields section:
In the Optional Fields section, optionally provide values for the following fields:
Description: Enter additional context about the rule.
Runbook: Enter the procedures and operations relating to this rule.
Reference: Enter an external link to more information relating to this rule.
Summary Attributes: Enter the attributes you want to showcase in the alerts that are triggered by this detection.
To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:
<column>:<level1_element>.<level2_element>.<level3_element>
Custom Tags: Enter custom tags to help you understand the rule at a glance (e.g., HIPAA.)
In the Framework Mapping section:
Click Add New to enter a report.
Provide values for the following fields:
Report Key: Enter a key relevant to your report.
Report Values: Enter values for that report.
In the Test section:
In the upper-right corner, click Save.
If the scheduled query returns multiple rows, each row is processed by the rule function as a separate event. The number of alerts triggered depends on the deduplication settings you've configured on the scheduled rule.
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click Create New.
On the New Detection page, select Scheduled Rule for the detection type.
In the Basic Info section, provide values for the following fields:
Name: Enter a descriptive name for the scheduled rule.
ID (optional): Click the pen icon and enter a unique ID for your scheduled rule.
In the upper-right corner, click Continue.
On the next page, configure your scheduled rule:
In the upper-right corner, the Enabled toggle will be set to ON by default. If you'd like to disable the scheduled rule, flip the toggle to OFF.
In the For the Following Scheduled Queries section:
In the Detect section:
In the Rule Function text editor, write a Python rule function to define your detection.
In the Set Alert Fields section:
In the Optional Fields section, optionally provide values for the following fields:
Description: Enter additional context about the rule.
Runbook: Enter the procedures and operations relating to this rule.
Reference: Enter an external link to more information relating to this rule.
Summary Attributes: Enter the attributes you want to showcase in the alerts that are triggered by this detection.
To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:
<column>:<level1_element>.<level2_element>.<level3_element>
Custom Tags: Enter custom tags to help you understand the rule at a glance (e.g., HIPAA.)
In the Framework Mapping section:
Click Add New to enter a report.
Provide values for the following fields:
Report Key: Enter a key relevant to your report.
Report Values: Enter values for that report.
In the Test section:
In the upper-right corner, click Save.
In the event of a query timeout, the Python code for Destinations will not run.
As an example, let's write a rule to send an alert when an admin panel is accessed on a web server. The following NGINX log below will be used:
A basic rule would look like this:
A rule function that looks for 200 (OK) web requests to any URL with the admin-panel string.
Return type: Boolean.
A title to say that admin panel logins have been logged into from a specific IP address.
Return type: String.
A dedup function to group all events by the same IP address.
Return type: String.
Then, the following would occur:
The alert would say Successful admin panel login detected from 180.76.15.143
Similar events with the same dedup string of 180.76.15.143 would be appended to the alert
The recipient of the alert could then check Panther to view all alert metadata, a summary of the events, and run SQL over all of the events to perform additional analysis
A unique alert will be generated for each unique deduplication string, which in this case, is the IP of the requestor.
We recommend following these guidelines to define alert severity levels:
Severity
Exploitability
Description
Examples
Info
None
No risk, simply informational
Gaining operational awareness.
Low
Difficult
Little to no risk if exploited
Non-sensitive information leaking such as system time and OS versions.
Medium
Difficult
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
High
Moderate
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Critical
Easy
Causes extreme damage if exploited
Public data/systems available, leaked access keys.
Required fields are in bold.
Field Name
Description
Expected Value
AnalysisType
Indicates whether this analysis is a rule, scheduled_rule, policy, or global
Rules: rule
Scheduled Rules: scheduled_rule
Enabled
Whether this rule is enabled
Boolean
FileName
The path (with file extension) to the python rule body
String
RuleID
The unique identifier of the rule
String
LogTypes
The list of logs to apply this rule to
List of strings
Severity
What severity this rule is
One of the following strings: Info, Low, Medium, High, or Critical
ScheduledQueries (field only for Scheduled Rules)
The list of Scheduled Query names to apply this rule to
List of strings
Description
A brief description of the rule
String
DedupPeriodMinutes
The time period (in minutes) during which similar events of an alert will be grouped together
15,30,60,180 (3 hours),720 (12 hours), or 1440 (24 hours)
DisplayName
A friendly name to show in the UI and alerts. The RuleID will be displayed if this field is not set.
String
OutputIds
Static destination overrides. These will be used to determine how alerts from this rule are routed, taking priority over default routing based on severity.
List of strings
Reference
The reason this rule exists, often a link to documentation
String
Reports
A mapping of framework or report names to values this rule covers for that framework
Map of strings to list of strings
Runbook
The actions to be carried out if this rule returns an alert, often a link to documentation
String
SummaryAttributes
A list of fields that alerts should summarize.
List of strings
Threshold
How many events need to trigger this rule before an alert will be sent.
Integer
Tags
Tags used to categorize this rule
List of strings
Tests
Unit tests for this rule.
List of maps
The output of the detection's function is used.
The detection editor in the Panther Console supports a maximum deduplication period of 24 hours. If you upload your detections via the bulk uploader or the , there is no limit on the value of DedupPeriodMinutes.
You can write rules and scheduled rules in the Panther Console, or you can write them locally. Before you start writing a new rule, remember to check to see if there's an existing that meets your needs.
Writing detections locally means creating Python and metadata files that define a Panther detection on your own machine. After writing detections locally, you upload the files to your Panther instance, typically via .
These instructions outline how to set up real-time rules. To configure a scheduled rule, see .
For detection templates and examples, see the .
Severity: Select a for the alerts triggered by this detection.
To see examples of runbooks for built-in rules, see .
Destination Overrides: Choose destinations to receive alerts for this detection, regardless of severity. Note that destinations can also be set dynamically, in the rule function. See to learn more about routing precedence.
Deduplication Period and Events Threshold: Enter the deduplication period and threshold for rule matches. To learn how deduplication works, see .
The alert summary will then be generated for the referenced object in the alert.
For more information on Alert Summaries, see .
In the Unit Test section, click Add New to for the rule you defined in the previous step.
After you have created a rule, you can modify it using .
We advise that you start your custom detection content by creating either or a from Panther's .
We recommend grouping rules into folders based on log/resource type, e.g., suricata_rules or aws_s3_policies. You can use the repo as a reference.
When this rule is uploaded, each of the fields you would normally populate in the Panther Console will be auto-filled. See below for a complete list of required and optional fields.
Scheduled rules are associated with one or more . If you have not yet created a scheduled query, follow the first, then return here to create the scheduled rule.
We recommend doing as much data processing as is possible in SQL (i.e., in the ) in order to take advantage of database optimizations and improve rule performance.
Scheduled Queries: Select one or more this scheduled rule should apply to.
If all your filtering logic is already taken care of in the SQL of the associated , you can configure the rule function to simply return true for each row:
For detection templates and examples, see the
Severity: Select a for the alerts triggered by this detection.
To see examples of runbooks for built-in rules, see .
Destination Overrides: Choose destinations to receive alerts for this detection, regardless of severity. Note that destinations can also be set dynamically, in the rule function. See to learn more about routing precedence.
Deduplication Period and Events Threshold: Enter the deduplication period and threshold for rule matches. To learn how deduplication works, see .
The alert summary will then be generated for the referenced object in the alert.
For more information on Alert Summaries, see .
In the Unit Test section, click Add New to for the rule you defined in the previous step.
Once you've clicked Save, the scheduled rule will become active. The SQL returned from the associated (at the interval defined in the query) will be run through the scheduled rule (if, that is, any rows are returned).
After you have created a rule, you can modify it using .
We advise that you start your custom detection content by creating either or a from Panther's .
We recommend grouping rules into folders based on log/resource type, e.g., suricata_rules or aws_s3_policies. You can use the repo as a reference.
Scheduled rules allow you to analyze the output of a with Python. Returning a value of True indicates suspicious activity, which triggers an alert.
When this scheduled rule is uploaded, each of the files will connect a scheduled query with a rule, and fill in the fields you would normally populate in the Panther Console will be auto-filled. See below for a complete list of required and optional fields.
Rule errors and scheduled rule errors are types of generated when a detection's Python code raises an exception.
If there is no specific routing configured for rule errors, the alert for a rule error will route to the same used by the alert. See for more information.
See templates for rules and scheduled rules in the .
For in-depth detection examples, best practices, and information on functions and features, see .
An alert would be generated and sent to the set of associated , which by default are based on the rule severity