How can I share global data between functions in my Panther detection code?
QUESTION
I want to share some variables across my functions within my detection code. How can I define them so that changes made in one function persist into the next?
ANSWER
Panther supports defining variables that are scoped to the lifetime of the detection's invocation. To do so, define them outside the functions, and use the global keyword inside the functions, like the example below:
my_global = "foo" # Create an invocation-scoped variable, and set it to foo
def rule(event):
global my_global # Tells Panther that this is the same `my_global` as above
my_global = "bar" # Overwrite the value we initially defined
return True
def title(event):
global my_global # Again, we tell panther to use the global variable
return my_global # Returns "bar", since we overwrote "foo" in the rule() function
There are a few caveats:
- The "global" variables here are scoped to the lifetime of the invocation, meaning the values may persist across different events.
- If your detection logic requires the global variable to always start with some default value, make sure you assign that value near the beginning of your
rulefunction.
- If your detection logic requires the global variable to always start with some default value, make sure you assign that value near the beginning of your
- If you forget to use the
globalkeyword in your function, you'll instead create a new variable to use instead of the global one you defined earlier.- This can be a common source of confusion. When troubleshooting, ensure that you've properly implemented the
globalkeyword!
- This can be a common source of confusion. When troubleshooting, ensure that you've properly implemented the