Simple Detection Error Codes

Troubleshoot Simple Detections errors

Overview

This functionality, as part of the Simple Detections feature set, is in closed beta starting with Panther version 1.81. To request access to the feature or share any bug reports or feature requests, please contact your Panther support team.

Error codes from the Simple Detections model are stable, meaning they do not change over time and are formatted consistently.

Error codes have 10 characters, and each character group represents something different. To demonstrate this, take the error code SD00100001. It is broken down as follows:

  • First and second characters: Always SD

  • Third, fourth, and fifth characters: Represent the category: 001 - general

  • Sixth through tenth characters: Unique error code: 00001 - no rule specified

001 errors: general

Error codeDescription

SD00100001

This error code is returned when a rule is not specified in the provided Simple Detections YAML. For example, if a Simple Detections YAML file has a top level key of Detection but there's no content under it.

AnalysisType: rule
RuleID: Test.MultiMatch.Key
DisplayName: a simple test of Multi-key match expressions
Severity: High
Enabled: true
LogTypes: 
  - Panther.Audit
Detection:

SD00100002

This error code is returned when a file could not be read at the specified path.

SD00100003

This error code is returned when an unexpected type is encountered. This usually happens when you try to use a Condition like IsLessThanOrEquals with a non-numeric value.

SD00100004

This error code is returned when a Condition expected an integer value but got something else.

SD00100005

This error code is returned when a Condition expected a float value but got something else.

SD00100006

This error code is returned when a Condition expected a boolean value but got something else.

SD00100007

This error code is returned when a Condition expected a string value but got something else.

002 errors: unmarshaler

Error codeDescription

SD00200001

This error code is returned when a YAML file could not be unmarshaled. This most often occurs when the YAML file is malformed.

SD00200002

This error code is returned when a YAML node could not be unmarshaled. This most often occurs when the Condition is invalid or the match expression is malformed.

SD00200003

This error code is returned when the key specifier is invalid. This occurs when:

- Condition: Equals
  Values:
    # This first list element is invalid. It cannot have both Key and KeyPath. 
    - Key: abc
      KeyPath: a.b.c
    - Key: def
  • A GroupBy statement has a malformed entry under the GroupBy key:

GroupBy:
  # This first list element is invalid. It cannot have both Key and KeyPath.
  - Key: abc
    KeyPath: a.b.c
  - Key: def
  • An AlertContext has a malformed entry in the Value that specifies which key's context to capture:

AlertContext:
  - Key: my.alert.context.key
  # The following Value field is invalid - you can only specify a single Key Specifier (Key, DeepKey, or KeyPath)
  Value:
    Key: p_any_ip_addresses
    KeyPath: p_any_ip_addresses

SD00200004

This error code is returned when the YAML match expression for an existence Condition is malformed. Usually, this occurs when a Value or Values key is specified in the YAML:

- Key: abc
  Condition: Exists
  Value: someInvalidString # This Value key is invalid.

SD00200005

This error code is returned when, after we finish unmarshaling the YAML, the resulting struct is invalid. Simple Detections runs a number of validations at this stage, including:

  • Validation that the specified key specifier format is correct

  • Validation that absolute Conditions (AlwaysTrue, AlwaysFalse) are only used with absolute match expressions

  • Validation that a specified KeyPath is using valid syntax

  • Validation that a specified Key is using valid syntax

003 errors: core

Error codeDescription

SD00300001

This error is returned when a Simple Detection Rule Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.

SD00300002

This error is returned when a Simple Detection Filter Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.

SD00300003

This error is returned when Simple Detections was able to unmarshal the provided YAML but was unable to create a valid Simple Detections data model. This error should rarely occur, but if it does, it is likely due to a bug in the Simple Detections data models.

SD00300004

This error is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the constructed match expression. Validations that are run on constructed match expressions include, by type:

  • Existence conditions:

  • Absolute conditions:

    • only a Condition is provided

  • Scalar conditions:

  • List conditions:

  • Multi-key match expressions:

    • Condition and Values are provided

  • List comprehension conditions:

    • a key specifier, Condition, and Expressions are provided

    • Expressions contains:

      • One or more nested list comprehensions, i.e., a list comprehension calling another list comprehension

      • One or more simpler (i.e., not list comprehension) match expressions

SD00300005

This error code is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the GroupBy statement. Validations that are run on the GroupBy statement include:

SD00300006

This error code is returned when a Simple Detection GroupBy Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.

SD00300007

This error code is returned when a Match Expression was expected to be a list comprehension but is not a list comprehension. This is most commonly returned when:

  • A dynamic severity is specified

  • A list comprehension is attempted to be used in an Inline Filter

    • List comprehensions are not allowed in InlineFilters

SD00300008

This error code is returned when a Simple Detection Alert Context Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.

SD00300009

This error code is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the AlertContext statement. Validations that are run on the AlertContext statement include:

  • A minimum of one (1) key/value pair is provided if AlertContext is specified

SD00300010

This error code is returned when Simple Detections was unable to validate the provided AlertTitle. Validations that are run on the AlertTitle include:

  • The AlertTitle is not empty

SD00300011

This error code is returned when a Simple Detection AlertTitle Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.

SD00300012

This error code is returned when a Simple Detection Dynamic Severities Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.

SD00300013

This error code is returned when a Dynamic Severity is specified but has no conditions:

DynamicSeverities: 
  - ChangeTo: CRITICAL
    Conditions: []

SD00300014

This error code is returned when Simple Detections was able to create the Dynamic Severities Data Model, but was unable to validate it. Validations that are run on the Dynamic Severities include:

  • If DynamicSeverities is specified, at least one Dynamic Severity is specified

  • No list comprehensions are used in the Conditions

  • No combinators are used in the Conditions (e.g. Any, All, OnlyOne, None)

  • No Absolute Conditions are used in the Conditions

  • No multi-key match expressions are used in the Conditions

004 errors: transpiler

Error codeDescription

SD00400001

This error code is returned when a match expression could not be converted to Python. See the "Inner Error" for additional details.

SD00400002

This error code is returned when a match expression could not be converted to a Python comment. This is unlikely to occur and is probably a bug in Simple Detections.

SD00400003

This error code is returned when Simple Detections was able to convert all of the match expressions under the Detection key into Python, but was unable to construct the full Python rule. This is unlikely to occur and is probably a bug in Simple Detections.

SD00400004

This error code is returned when a Match Expression is not yet supported for transpilation to Python. This is unlikely to occur and is probably a bug in Simple Detections.

005 errors: filters

Error codeDescription

SD00500001

This error code is returned when a match expression could not be converted to an Inline Filter. See the "Inner Error" for additional details. Most commonly, this occurs when the provided Match Expression uses an unsupported Match Expression form or Condition for Inline Filters.

Inline Filters only support the following conditions:

  • Equals

  • DoesNotEqual

  • IsGreaterThan

  • IsGreaterThanOrEquals

  • IsLessThan

  • IsLessThanOrEquals

  • Contains

  • DoesNotContain

  • StartsWith

  • EndsWith

  • IsIPAddressInCIDR

  • IsIPAddressNotInCIDR

  • CIDRContainsIPAddresses

  • CIDRDoesNotContainIPAddresses

  • IsIn

  • IsNotIn

  • IsIPAddressPublic

  • IsIPAddressPrivate

  • IsNullOrEmpty

  • IsNotNullOrEmpty

Inline Filters only support the following Match Expression forms:

SD00500002

This error code is returned when a Inline Filter could not be converted to a match expression. This is unlikely to occur and is probably a bug in Simple Detections.

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated