Skip to main content
Panther Knowledge Base

Can I modify a Panther-managed Data Model?

  1. Last updated
  2. Save as PDF

QUESTION

Is there a way to change the logic for a standard rule, like the "Admin Role Assigned" rule, for a specific log type?

ANSWER

You can copy, edit, then replace the associated data model for that log type by disabling the old one and then enabling the new one.

Standard rules look at Data Model values for each log type to determine if the logic applies. In the "Admin Role Assigned" rule, we can see that we check event_type, which is a UDM field defined on a per-log-type basis. Data Models for log types that are included in the standard rules can be found in the data_models folder in the panther-analysis repo.

import panther_event_type_helpers as event_type

def rule(event):
  # filter events on unified data model field
  return event.udm("event_type") == event_type.ADMIN_ROLE_ASSIGNED

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.