How do scheduled rules with multiple associated scheduled queries work in Panther?
QUESTION
How do scheduled rules with multiple associated scheduled queries work? Does Panther allow results from the first query to be checked against the results of the second query?
ANSWER
It's not possible for a rule to consider the results of two different schedule queries together.
As a workaround, you could have one table that checks multiple tables in panther_rule_matches and then feed that into a scheduled rule. This would essentially push the work of grouping out of Python or some Panther construct, and into the scheduled query.
For example, instead of having two queries:
select * from panther_rule_matches.aws_cloudtrail where EXAMPLE
select * from panther_rule_matches.okta_systemlog where EXAMPLE
You could have one query that groups them together:
with totals as ( with ct_matches as ( select * from panther_rule_matches.public.aws_cloudtrail limit 10 ), okta_matches as ( select * from panther_rule_matches.public.okta_systemlog limit 10 ) select p_rule_id, p_log_type from ct_matches UNION select p_rule_id, p_log_type from okta_matches ) select count(distinct(p_log_type)) as matches from totals