Skip to main content
Panther Knowledge Base

Comparing a previous event with a current event to create a Panther detection

  1. Last updated
  2. Save as PDF

QUESTION

How do I use information from a previous event to compare with the current event and create a detection in Panther? How does storing information to compare with a later event in a detection work?

ANSWER

You can store data from your current event in a key:value pair for retrieval when the next event is parsed through your rule. Here are the functions you can use to cache values for use in future events.

First, make sure to import panther_oss_helpers!

Counter Functions:

  • get_counter() - Get the latest counter value
  • increment_counter() - Add to the counter (default of 1)
  • reset_counter() - Reset the counter to 0
  • set_key_expiration() - Set the lifetime of the counter

String Functions

  • get_string_set() Get the string set's current value
  • put_string_set() - Overwrite a string set
  • add_to_string_set() Add one or more strings to a set
  • remove_from_string_set() - Remove one or more strings from a set
  • reset_string_set() - Empty the setGlobal Modules

For more information, check out the Python code for these functions in Panther's Github