Detections
Use the search bar above or navigate the categories below to find articles about Detections.
For setup instructions, check out the Panther documentation on Detections.
- Detection Features
- Are special characters allowed in Detection titles?
- Are there any storage or size limitations to the strings that I can store in a String Set in Panther?
- Can I export a list of my alerts from Panther?
- Can I manually edit data stored in the Panther KV Cache?
- Can I modify a Panther-managed Data Model?
- Can I parse a specific field in my JSON log with a fastmatch or regex log parser in Panther?
- Can I return a detection triggering event in the alert_context function?
- Can I share String Sets across different detections in Panther?
- Can I use Python debug tools on Panther detection functions and tests?
- Can the alert_context function in Panther return a list of values or JSON data?
- Can you have two different fields going to the same UDM field in Panther?
- Comparing a previous event with a current event to create a Panther detection
- Data Replay error "There is no historical data for the selected log type" in my Panther Console
- Does Panther allow showing MITRE coverage for an arbitrary grouping of detections?
- Do Panther's auxiliary functions get called in any specific order?
- How can I access my own AWS resources from my Python Detections? Can I store secrets in Panther?
- How can I rerun a rule in Panther?
- How can I setup a Panther detection such that each event gets sent as its own separate alert?
- How can I share global data between functions in my Panther detection code?
- How can I use boto3 in Panther detections?
- How can I write unit tests for Panther detections that use relative time?
- How does Panther handle alert deduplication if rules share the same dedup string and dedup period?
- How do I capture stdout in Panther detections?
- How do I override my Panther detection's default severity?
- How do I resolve the alert error "module 'Panther' not found"?
- How do I resolve the error "only one LogType may be specified per DataModel" while uploading a Data Model to Panther?
- How do I return an array of values from a Mock in a Panther detection?
- How do I set up my Panther alert to be dynamically generated in order to provide the most context?
- How do I set up separate destinations for detections with the same log type?
- How to create a link to Indicator Search from a Panther detection and include it in alerts
- How to create scheduled tests for Panther detections
- How to identify patterns across events within a specified time window in a Panther detection
- How to resolve "PantherError: a data model hasn't been specified for this log type".
- How to troubleshoot ModuleNotFound error in Panther detection
- How to write unit tests for stateful Panther detections
- In a Panther detection, does set_key_expiration immediately clear the cache once the key is expired?
- Is there an advantage to using filters instead of code in Panther detections?
- Is there a time or size limit on the Panther Data Replay feature?
- List and dict type comparisons aren't working in my Panther detection
- Maximum number of minutes to use for DedupPeriodMinutes in a Panther detection
- My Panther analysis cache was not cleared by the set_key_expiration function
- Panther.Detection.Deleted fires with a broken AlertContext
- Retrieving nested data values with deep_get for a Panther Detection
- What's the meaning of each enriched timestamp field in my alerts on Panther?
- What fields are used for deduplicating repeated alerts in Panther?
- What is the default alert_context if I don't have an alert_context function in my Panther detection?
- What is the recommended way to do exception handling with Panther Detections?
- Why is oss helpers not accessible when running a Data Replay in Panther?
- Policies
- Are Panther alerts from unhealthy resources fixed when the resource becomes healthy?
- Can I use Panther's enrichment sources within my cloud scanning policy code?
- How to correlate alerts from Panther's CIS policies to AWS Security Hub Findings
- Many resources are failing a Policy, but I only see a few alerts in the Panther Console
- What do PASS and FAIL mean for my Panther policy?
- Why is my encrypted DynamoDB failing the AWS DynamoDB Table Encryption policy in Panther?
- Rules
- (CI/CD) Can I write my Panther detection tests in a different file than the main configuration?
- Can I convert detections from third-party tools into Panther detections?
- Do Panther's Real-time rules or Scheduled rules require more computing power?
- Do users often have a dev and prod environment for testing Panther Detections?
- Getting the error message "Bulk upload failed to update an analysis item" when uploading a rule via the Bulk Uploader in Panther
- How can I see the severity output of my Panther detection?
- How can I write a Panther detection to alert me when a deactivated Okta user tries to log in?
- How does Panther handle errors on code and Rule exceptions?
- How do I check if my Panther rules are working?
- How do I query the alerts that matched a Panther rule in the API?
- How do I resolve the Panther Data Replay error "No data in time range for the selected log types"?
- How do I resolve the Rule Testing error "ResourceNotFoundException" in Panther?
- How frequently should I update Detection Packs in the Panther Console?
- How to troubleshoot Okta Geographically Improbable location alerts from Panther
- If I delete a detection, can I still access the alerts/matched events?
- Panther-managed rule "Geographically Improbable Okta Login" generates alerts for logins from same city
- Panther detection editor cursor shows space to the right of where it actually is
- What is the syntax for dedup period in Panther?
- What options are available for managing detections in Panther?
- Why did a large number of alerts trigger at the same time from Panther?
- Why do I see "Couldn't load your detections; Request timed out" in the Panther Console?
- Why do I see "The associated rule has been deleted" in Panther?
- Scheduled Rules
- Are lookups for event fields case sensitive in Panther?
- Do I need a Scheduled Query in order to use a Scheduled Rule in Panther?
- How do I manually test my Scheduled Rule in Panther?
- Why is my Scheduled Rule in Panther firing alerts even though the number of events is lower than the specified threshold?
- Why might I not receive alerts from my Scheduled Rule in Panther?