Using the Simple Detection Builder

In the left-hand navigation bar of your Panther Console, click Build > Detections.

Click Create New.

On the New Detection page, select Rule for the detection type.

In the Basic Info section, provide values for the following fields:

• Name: Enter a descriptive name for the rule.

• ID (optional): Click the pen icon and enter a unique ID for your rule.

In the upper-right corner, click Continue.

In the For the Following Source section, select the Log Types this detection will apply to.

In the Detect section, under How do you want to define your logic? click Simple Detection Builder.

• The no-code detection builder will appear.

To the right of Where, click +. In the menu that appears select either Add Clause or Add Clause Group.

For each clause (either on its own or within a group), define the logic:

1. Click Key, then select an event key the condition will apply to.

2. Click Condition, then select a condition.

3. If the selected Condition requires an inputted value(s) (e.g., is or contains), provide a value or list of values.

Between each clause and clause group, ensure the correct combinator (either and or or) is selected.

(Optional) Once you have finished constructing your detection logic, you can view the result in raw YAML by selecting Text Editor in the toggle in the upper-right corner of the Detect section.

In the Set Alert Fields section, under Required Fields, select a Severity.

• Learn more about alert severities in the Alert severities table.

Within Optional Fields, set the dynamic alert fields:

• Title:

  1. To the right of Change to, click the plus (+).

  2. Enter a string, using curly braces where you want to dynamically substitute an event value.

Within Optional Fields, set the static alert fields:

• Description: Enter additional context about the rule.

• Runbook: Enter the procedures and operations relating to this rule.

  • To see examples of runbooks for built-in rules, see Alert Runbooks.

• Reference: Enter an external link to more information relating to this rule.

• Destination Overrides: Choose destinations to receive alerts for this detection, regardless of severity. Note that destinations can also be set dynamically, in the rule function. See Routing Order Precedence to learn more about routing precedence.

• Deduplication Period: Choose a period of time over which to deduplicate events. Learn more in Deduplication of alerts.

• Events Threshold: Enter the deduplication event threshold. Learn more in Deduplication of alerts.

• Summary Attributes: Enter the attributes you want to showcase in the alerts that are triggered by this detection.

  • To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:

    <column>:<level1_element>.<level2_element>.<level3_element>

    The alert summary will then be generated for the referenced object in the alert. Learn more about traversing semi-structured data in Snowflake here.

  • For more information on Alert Summaries, see Assigning and Managing Alerts.

• Tags: Enter custom tags to help you understand the rule at a glance (e.g., HIPAA.)

• Framework Mapping:

  1. Click Add New to enter a report.

  2. Provide values for the following fields:

     • Report Key: Enter a key relevant to your report.

     • Report Values: Enter values for that report.

Within Test, in the Unit Test section, click Add New to create a test for the rule.

In the upper-right corner, click Deploy.