Skip to main content
Panther Knowledge Base

Does Panther support the detection of the absence of an event before or after another event?

  1. Last updated
  2. Save as PDF

QUESTION

Does Panther support the detection of the absence of an event before or after another event? I would like to create a detection mechanism to alert me if, after an initial triggering event, a subsequent expected event does not occur.

ANSWER

Panther does not currently support the detection of the absence of an event before or after another event. If you are interested in support of this feature, please contact Panther Support to put in a request.

As a workaround, you can refer to this example:

  1. Create an INFO level detection for the “Session Start” event. This will log when sessions start in one part of your system.

  2. Create a Scheduled Query that joins “Session Start” events with the subsequent expected event. This query should establish a relationship between those two events based on criteria like a common session identifier.

  3. Create a Scheduled Rule that triggers an alert if any of the “right side” events (the expected events) in the join are NULL.

Keep in mind that the alerts generated by this system will be “time-based” rather than “event-based”. For example, you might receive an alert "2 sessions did not have X subsequent event" rather than a per-session alert. Depending on the implementation, there may also be a risk of a session appearing in multiple alerts.