Skip to main content
Panther Knowledge Base

How to identify patterns across events within a specified time window in a Panther detection

  1. Last updated
  2. Save as PDF

QUESTION

Do you have an example of a detection looking for multiple specific commands from a single user within a short time window?

ANSWER

For this implementation, it is recommended to use Caching by implementing our native caching functions through Panther's open-source (global helper) library panther_oss_helpers. Using the caching functions, you can temporarily cache data about a specific event and then retrieve that data later by specifying a key. 

You can see an example of this in Panther's Github repo, where caching is used to test whether a user has 2 login actions occur in a short amount of time across an improbable distance.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.