How do I create a detection in Panther based on the number of results returned from a data lake query? For example, we want to be alerted when a WAF Rule has generated a high volume of logs which would indicate a DDoS attack is underway.
To do this you will have to create a scheduled query and a schedule rule based on that query. Here is an example of what that scheduled query could look like:
SELECT count(*) as total FROM panther_logs.public.aws_waf --replace with whatever log source you want WHERE (action = 'BLOCK' AND terminatingRuleId = 'TwoHundredRequestsPerIp') AND p_occurs_since('1 hr')
You can then save that query as a scheduled query to run once every hour. After that is done, you can set up your scheduled rule to look something like this:
def rule(event): if event.get("total") > 50000: return True