Using the Simple Detection Builder

Create and edit detections without code

PreviousRules and Scheduled Rules NextWriting YAML Detections

Last updated 1 year ago

Was this helpful?

Using the Simple Detection Builder

Create and edit detections without code

Overview

This functionality, as part of the feature set, is in closed beta starting with Panther version 1.81. To request access to the feature or share any bug reports or feature requests, please contact your Panther support team.

You can use the Simple Detection builder in the Panther Console to create and edit using drop-down fields. The builder lets you manage detections without writing code, but retains the benefits of detections-as-code, e.g., expressiveness, testability, CI/CD integration, and reusability.

The Simple Detection builder is part of the feature set, which promotes collaboration among team members with all levels of technical skill. Detections constructed in the CLI workflow in , then uploaded to Panther, will be viewable and editable in the Simple Detection builder in the Console.

See step-by-step instructions on how to create rules using the Simple Detection builder below, in .

If your team uses the CLI workflow to manage detection content, the changes made to detections using the Simple Detection builder in the Console will be overwritten on next upload (except for created in the Console, which will be preserved).

If you create or edit detections using the Simple Detection builder in the Console, copy the resulting YAML representation and include it in your local detections files, in order to prevent the changes from being overwritten on next upload.

Video overview

Limitations of the Simple Detection builder

Simple Detection builder limitations

Only YAML rules (not scheduled rules nor policies) can be created or rendered in the Simple Detection builder.
- The Simple Detection builder can render the All and Any combinators.
- Equals
- DoesNotEqual
- IsGreaterThan
- IsGreaterThanOrEquals
- IsLessThan
- IsLessThanOrEquals
- Contains
- DoesNotContain
- StartsWith
- EndsWith
- IsIPAddressInCIDR
- IsIPAddressNotInCIDR
- CIDRContainsIPAddresses
- CIDRDoesNotContainIPAddresses
- IsIn
- IsNotIn
- IsIPAddressPublic
- IsIPAddressPrivate
- IsNullOrEmpty
- IsNotNullOrEmpty

How to create a rule in the Simple Detection builder

Creating a rule in the Simple Detection builder in the Console

In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click Create New.
On the New Detection page, select Rule for the detection type.
In the Basic Info section, provide values for the following fields:
- Name: Enter a descriptive name for the rule.
- ID (optional): Click the pen icon and enter a unique ID for your rule.
In the upper-right corner, click Continue.
- The no-code detection builder will appear.
For each clause (either on its own or within a group), define the logic:
1. Click Key, then select an event key the condition will apply to.
2. Click Condition, then select a condition.
3. If the selected Condition requires an inputted value(s) (e.g., is or contains), provide a value or list of values.
Between each clause and clause group, ensure the correct combinator (either and or or) is selected.
(Optional) Once you have finished constructing your detection logic, you can view the result in raw YAML by selecting Text Editor in the toggle in the upper-right corner of the Detect section.
In the Set Alert Fields section, under Required Fields, select a Severity.
Within Optional Fields, set the dynamic alert fields:
- Title:
  1. To the right of Change to, click the plus (+).
Within Optional Fields, set the static alert fields:
- Description: Enter additional context about the rule.
- Runbook: Enter the procedures and operations relating to this rule.
- Reference: Enter an external link to more information relating to this rule.
- Summary Attributes: Enter the attributes you want to showcase in the alerts that are triggered by this detection.
  - To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:
    <column>:<level1_element>.<level2_element>.<level3_element>
- Tags: Enter custom tags to help you understand the rule at a glance (e.g., HIPAA.)
- Framework Mapping:
  1. Click Add New to enter a report.
  2. Provide values for the following fields:
    Report Key: Enter a key relevant to your report.
    Report Values: Enter values for that report.
In the upper-right corner, click Deploy.

PreviousRules and Scheduled Rules NextWriting YAML Detections

Last updated 1 year ago

Was this helpful?