Can I use Python debug tools on Panther detection functions and tests?
QUESTION
How do I use Python debugging tools on Panther detection functions and tests? I want to see information in addition to whether a test passed or failed.
ANSWER
While there is not debug functionality in Panther tools, it's possible to download detections to a local or dev system and run them locally with your preferred debugging tools, such as pdb. This may not replicate every situation exactly as it runs in the Panther Console (e.g., it's difficult to simulate interactions with the panther_kv_store cache from a local machine), but it can help clarify complexities in many code scenarios.
Here is an example Python file where you can add your detection logic, and steps you can take to debug:
import json
# -- Your Rule Code Here -- #
from panther_base_helpers import deep_get
def rule(event):
if(alert-condition-is-met):
return True
else:
return False
def title(event):
pass
# -- End Your Code -- #
if __name__ == "__main__":
with open('event.json') as f:
event = json.load(f)
rule(event)
if 'title' in dir(): print('-- Title --\n' + str(title(event)) + '\n')
if 'dedup' in dir(): print('-- Dedup --\n' + str(dedup(event)) + '\n')
if 'alert_context' in dir(): print('-- Alert Context --\n' + str(alert_context(event)) + '\n')
if 'severity' in dir(): print('-- Severity --\n' + str(severity(event)) + '\n')
if 'description' in dir(): print('-- Description --\n' + str(description(event)) + '\n')
if 'reference' in dir(): print('-- Reference --\n' + str(reference(event)) + '\n')
if 'runbook' in dir(): print('-- Runbook --\n' + str(runbook(event)) + '\n')
if 'destinations' in dir(): print('-- Destinations --\n' + str(destinations(event)) + '\n')
- Create a file containing the code above.
- Copy your test case into another file in your working directory. In the example code, this file is
event.json. - If you are using Panther helpers, link to them or copy them into the same directory.
- Run this with Python and add pdb or any other debugging statements or tools.