Retrieving nested data values with deep_get for a Panther Detection
QUESTION
When I write a detection with Panther, how do I retrieve a value from a field in ingested data when the field is nested in other JSON fields?
ANSWER
You can use the Python helper function deep_get for this. It returns a value nested in data at any depth. It is used in many of Panther's built-in detections and helpers, such as this one.
To use deep_get:
- At the top of your detection code, add
from panther_base_helpers import deep_get
Example JSON data:
-
... "client": { "device": "Computer", "geographicalcontext": { "country": "United States", "geolocation": { "lat": "39.5022", "lon": "-106.1497" }, }, "useragent": { "browser": "CHROME", "os": "Mac OS X", "rawuseragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML" } }, ... - Examples (see data above):
print(str(deep_get(event, "client", "device"))) # prints Computerprint(str(deep_get(event, "client", "geographicalcontext", "geolocation", "lat"))) # prints 39.5022
- You may not need to convert the returned value to a string as shown, depending on what you're doing with it.
In the case where deep_get doesn't find the field it's looking for, it returns the Python None instead of the value of the field. For example, when using this JSON:
{ "event": { "outcome": { "result": "SUCCESS" } } }
this Python prints SUCCESS
print(deep_get(data, "event", "outcome", "result"))
and this Python prints None
print(deep_get(data, "event", "outcome", "resulterino"))