Skip to main content
Panther Knowledge Base

Can the alert_context function in Panther return a list of values?

QUESTION

Can the elements in the dictionary returned by alert_context be a list of values rather than just a string?

ANSWER

Yes, this is possible. Instead of returning a single string, you can also return a list of strings.

Below you can see an example using a detection on Okta logs that sends an alert to Slack.

The alert_context function was defined as shown below:

def alert_context(event):
    return {
        "actor": deep_get(event, "actor", "displayName"),
        "id": deep_get(event, "actor", "id"),
        "message":[deep_get(event,"displayMessage"),event.get("eventType",None)]
    }

The value of the "message" key of the dictionary was set as a list instead of a single value. The alert context that will be delivered is the following:

Alert Context
{
   "actor": <ACTOR_NAME>,
   "id": "00u5m5crdnTG8zRAq5d7",
   "message": [
       "User logout from Okta",
       "user.session.end"
   ]
}

 

  • Was this article helpful?