What is the difference between get and deep_get when writing detections in Panther?
QUESTION
What is the difference between get and deep_get?
ANSWER
In a string context, we usually recommend that you use the form of deep_get(event, 'whatever', default='<NO_WHATEVER>'). See below for more information on the differences.
- dictionary.get('thing', 'value-if-not-present')
- This call will return None if the thing exists and has value of
None
- This call will return None if the thing exists and has value of
- deep_get(dictionary, 'thing', default='something'
- this call will return the value of the default= kwarg if the thing exists and has a value of
None
.
- this call will return the value of the default= kwarg if the thing exists and has a value of
Examples:
- https://github.com/panther-labs/panther-analysis/blob/master/rules/okta_rules/okta_threatinsight_security_threat_detected.py#L33
- https://github.com/panther-labs/panther-analysis/blob/master/rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.py#L12-L13
- https://github.com/panther-labs/panther-analysis/blob/master/rules/slack_rules/slack_user_privilege_escalation.py#L17
- https://github.com/panther-labs/panther-analysis/blob/master/rules/aws_cloudtrail_rules/aws_resource_made_public.py#L79