Can the alert_context function in Panther return a list of values or JSON data?
QUESTION
Can the elements in the dictionary returned by alert_context be a list of values or JSON data rather than just a string?
ANSWER
Yes, this is possible. Instead of returning a single string, you can also return a list of strings.
Below you can see an example using a detection on Okta logs that sends an alert to Slack.
The alert_context function was defined as shown below:
def alert_context(event):
return {
"actor": deep_get(event, "actor", "displayName"),
"id": deep_get(event, "actor", "id"),
"message":[deep_get(event,"displayMessage"),event.get("eventType",None)]
}
The value of the "message" key of the dictionary was set as a list instead of a single value. The alert context that will be delivered is the following:
Alert Context
{
"actor": <ACTOR_NAME>,
"id": "00u5m5crdnTG8zRAq5d7",
"message": [
"User logout from Okta",
"user.session.end"
]
}
If you want the alert_context function to contain JSON data, then we recommend converting the individual JSON key-value pairs to variables before using them in the alert_context function.
For example, let's suppose that we have the following JSON data in our Python code:
import json
json_data= '{"Name": "John Smith","Contact Number": "000000","Interests":["Swimming", "Reading"]}'
We will parse them using the function json.loads() and the output will be a dictionary similar to the below:
json_output= json.loads(json_data)
{'Name': 'John Smith', 'Contact Number': '000000', 'Interests': ['Swimming', 'Reading']}
If we want to use these values in the alert_context function, then we should first get each individual value as shown below and then append them in the function:
person_name = json_output['Name']
person_number = json_output['Contact Number']
person_interests = json_output['Interests']
def alert_context(event):
return {
"name": person_name,
"number": person_number,
"interests":person_interests
}