When the function code of a Panther Rule returns True, the rule triggers an alert. However, Panther Policies seem to do the opposite. What's going on?
Policy code fires an alert when the function returns
False, while Rules fire alerts when their function returns
True. Policies are opposite to rules in this regard.
The function code for a policy asks "Is this resource compliant?" For a policy, returning a value of
True indicates the resource is compliant, and no alert should be sent. Returning a value of
False indicates the resource is non-compliant.
Rules analyze log events to detect suspicious behaviors, so their function code asks "Was this event suspicious?" For a rule, returning a value of
True indicates suspicious activity, which triggers an alert.