Detections
Use the search bar above or navigate the categories below to find articles about Detections.
For setup instructions, check out the Panther documentation on Detections.
- Detection Features
- Allowing Panther detection code to access metadata about that detection
- Are special characters allowed in Panther detection titles?
- Are there any storage or size limitations to the strings that I can store in a String Set in Panther?
- Can I export a list of my alerts from Panther?
- Can I include a description on a detection filter in Panther?
- Can I manually edit data stored in the Panther KV Cache?
- Can I modify a Panther-managed Data Model?
- Can I omit unused fields from my detection unit test?
- Can I parse a specific field in my JSON log with a fastmatch or regex log parser in Panther?
- Can I return a detection triggering event in the alert_context function?
- Can I share String Sets across different detections in Panther?
- Can I use breakpoints and other Python debug tools on Panther detection functions and tests?
- Can I use multiple AWS roles for accessing secrets from Panther detections?
- Can I use pytest or other testing frameworks to test helpers used in Panther?
- Can I view the data stored in the Panther KV cache?
- Can Panther filter detections based on enrichment data?
- Can the alert_context function in Panther return a list of values or JSON data?
- Can we disable Detection Packs from the Panther Console if the "We use the Panther Analysis Tool to manage our detections" setting is enabled?
- Can you have two different fields going to the same Data Model field in Panther?
- Comparing a previous event with a current event to create a Panther detection
- Data Replay for 15GB and 20GB is taking a long time to complete in Panther
- Does DynamoDB in Panther have a default TTL for its cache when one is not explicitly set?
- Does Panther allow showing MITRE coverage for an arbitrary grouping of detections?
- Do I need to request access to DynamoDB in order to use the Panther-provided cache helper functions?
- Do Panther's auxiliary functions get called in any specific order?
- Do summary attributes get stored in the panther_rule_matches database view in Panther?
- Filters don't change the list of results when viewing Panther rule matches
- How can I access my own AWS resources from my Python Detections? Can I store secrets in Panther?
- How can I control Panther's deduplication period from within my detection code?
- How can I rerun a rule in Panther?
- How can I setup a Panther detection such that each event gets sent as its own separate alert?
- How can I share global data between Python functions in my Panther detection code?
- How can I tell if Simple Detections are enabled in my Panther Console?
- How can I use boto3 in Panther detections?
- How can I write unit tests for Panther detections that use relative time?
- How deduplication and threshold works in Panther?
- How does Panther handle alert deduplication if rules share the same dedup string and dedup period?
- How do I capture stdout in Panther detections?
- How do I include a detailed description with a Panther alert?
- How do I override my Panther detection's default severity?
- How do I resolve "read timeout on endpoint URL" during a bulk upload to Panther?
- How do I resolve Data Replay time range errors in my Panther Console?
- How do I resolve the alert error "module 'Panther' not found"?
- How do I resolve the error "only one LogType may be specified per DataModel" while uploading a Data Model to Panther?
- How do I return an array of values from a Mock in a Panther detection?
- How do I set up my Panther alert to be dynamically generated in order to provide the most context?
- How do I set up separate destinations for detections with the same log type?
- How do I use deep_get() to get a value from a nested array?
- How to create a link to Search from a Panther detection and include it in alerts
- How to create scheduled tests for Panther detections
- How to identify patterns across events within a specified time window in a Panther detection
- How to measure performance of Panther detections
- How to prevent Panther from persisting my rule's global variable between log events
- How to resolve "PantherError: a data model hasn't been specified for this log type".
- How to test with mocks when a Panther detection sorts cached values
- How to troubleshoot ModuleNotFound error in Panther detection
- How to write unit tests for stateful Panther detections
- In a detection test, is it possible to mock the response of a helper function that is not directly called in my detection code?
- In a Panther detection, does set_key_expiration immediately clear the cache once the key is expired?
- Is there an advantage to using filters instead of code in Panther detections?
- Is there a time or size limit on the Panther Data Replay feature?
- List and dict type comparisons aren't working in my Panther detection
- Maximum number of minutes to use for DedupPeriodMinutes in a Panther detection
- My Panther analysis cache was not cleared by the set_key_expiration function
- Panther.Detection.Deleted fires with a broken AlertContext
- Retrieving nested data values with deep_get for a Panther Detection
- What's the difference between a Fail and an Error error state in Panther's detection unit testing?
- What's the difference between p_udm and event.udm in Panther?
- What's the meaning of each enriched timestamp field in my alerts on Panther?
- What does Managed or Unmanaged mean for a detection in the Panther Console?
- What does the title function return if there are no changes in its body, or if the function is not included in a Panther detection?
- What fields are used for deduplicating repeated alerts in Panther?
- What happens when I change the deduplication string of a Panther rule?
- What is the default alert_context if I don't have an alert_context function in my Panther detection?
- What is the difference between get and deep_get when writing detections in Panther?
- What is the recommended way to do exception handling with Panther Detections?
- Where in my Panther code repository can I store my YAML-only detections?
- Why do I receive rule import errors after removing helper functions from my Panther detection?
- Why is my PAT uploaded detection not appearing in the Destination Override field?
- Why is oss helpers not accessible when running a Data Replay in Panther?
- Policies
- Are Panther alerts from unhealthy resources fixed when the resource becomes healthy?
- Can I change the time of day when Panther policies run?
- Can I use Panther's enrichment sources within my cloud scanning policy code?
- How to correlate alerts from Panther's CIS policies to AWS Security Hub Findings
- Many resources are failing a Policy, but I only see a few alerts in the Panther Console
- Panther policy failing unexpectedly when using AWS Tags
- Policy deduplication in Panther for quickly-changing resources
- What do PASS and FAIL mean for my Panther policy?
- What is the difference between the two failure tabs within a Policy's details in the Panther Console?
- Why does a Policy return True when a Rule returns False in Panther?
- Rules
- "(ThrottlingException) when calling the UpdateItem operation" error in Panther detection
- "TypeError: unsupported operand type(s)" error when testing a Panther-managed detection
- (CI/CD) Can I write my Panther detection tests in a different file than the main configuration?
- Can I convert detections from third-party tools into Panther detections?
- Can I mock API calls made from a decorator function in Panther detection code?
- Does Panther's detection engine invoke rules serially for each event?
- Does Panther's GHAS Change detection account for archived repositories?
- Does Panther allow multiple log types for one detection?
- Does Panther offer out-of-the-box detections designed for Workday logs?
- Does Panther offer out-of-the-box detections for Tenable logs?
- Does Panther offer out-of-the-box detections to detect sensitive data in logs?
- Does Panther support the detection of the absence of an event before or after another event?
- Do Panther's real-time rules or scheduled rules require more computing power?
- Do users often have a dev and prod environment for testing Panther Detections?
- Error "Cannot save an enabled rule with failing unit tests" when trying to add a rule filter to a Panther-managed rule
- Error 'New rule error: AttributeError("'NoneType' object has no attribute 'lower'")' when running detection in Panther.
- Error message "Input: server timeout: please try again" while updating a detection in Panther
- Getting the error message "Bulk upload failed to update an analysis item" when uploading a rule via the Bulk Uploader in Panther
- How can I filter a Panther rule using an allow list or a deny list?
- How can I get a list of all Panther detections that triggered an alert to Slackbot within a specific timeframe?
- How can I see the severity output of my Panther detection?
- How can I write a Panther detection to alert me when a deactivated Okta user tries to log in?
- How does Panther handle errors on code and Rule exceptions?
- How do I check if my Panther rules are working?
- How do I create a detection for when event A is followed by event B?
- How do I query the alerts that matched a Panther rule in the API?
- How do I remove deprecated Panther-managed rules from my UI?
- How do I resolve the Rule Testing error "ResourceNotFoundException" in Panther?
- How frequently should I update Detection Packs in the Panther Console?
- How to check which detections are deployed in the Panther Console
- How to fix Panther "external sharing" detection that fires alerts about internal activity
- How to resolve "Client error: an error occured when calling the UpdateItem operation" in Panther detection
- How to troubleshoot Okta Geographically Improbable location alerts from Panther
- If I delete a detection, can I still access the alerts/matched events?
- Is there a Panther managed detection to identify elevated admin access in Microsoft 365 logs?
- Is there a way to specify the destination in a Panther detection's YML file?
- Panther-managed rule "Geographically Improbable Okta Login" generates alerts for logins from same city
- Panther detection editor cursor shows space to the right of where it actually is
- What is the reasoning behind the Panther detection, Okta User MFA Factor Suspend?
- What is the syntax for dedup period in Panther?
- What options are available for managing detections in Panther?
- Why can't I find the detection "AWS Modify Cloud Compute Infrastructure" in the Panther Console?
- Why did a large number of alerts trigger at the same time from Panther?
- Why do I see "Couldn't load your detections; Request timed out" in the Panther Console?
- Why do I see "The associated rule has been deleted" in Panther?
- Why is my Detection returning the Rule ID instead of my title function output?
- Scheduled Rules
- Are lookups for event fields case sensitive in Panther?
- Do I need a Scheduled Query in order to use a Scheduled Rule in Panther?
- How can I build detections that watch data in Snowflake?
- How do I create a detection in Panther based on the number of results returned from a data lake query?
- How do I manually test my Scheduled Rule in Panther?
- How often do scheduled rules run by default in Panther?
- Why do I see the error ‘failed: FailedQuery('status: running error: query still running')’ when running Scheduled Rules in Panther?
- Why is my Scheduled Rule in Panther firing alerts even though the number of events is lower than the specified threshold?
- Why might I not receive alerts from my Scheduled Rule in Panther?