How do I check if my Panther rules are working?

Last updated
Save as PDF

QUESTION

How do I investigate if my rules are being applied? I did not see alerts trigger as expected.

ANSWER

You can check for rule matches in the Data Explorer. Using a query similar to the following will return a list of rule IDs and the number of the times they have triggered an alert in the timeframe provided. The example below checks for AWS Cloudtrail rule matches.

SELECT
  p_rule_id, count(p_rule_id)
FROM
  panther_rule_matches.public.aws_cloudtrail
WHERE
  p_occurs_since('48 hours')
GROUP BY p_rule_id