Skip to main content
Panther Knowledge Base

How do I create a detection in Panther based on the number of results returned from a data lake query?

  1. Last updated
  2. Save as PDF

QUESTION

How do I create a detection in Panther based on the number of results returned from a data lake query? For example, we want to be alerted when a WAF Rule has generated a high volume of logs which would indicate a DDoS attack is underway.

ANSWER


To do this you will have to create a scheduled query and a schedule rule based on that query.  Here is an example of what that scheduled query could look like:

SELECT count(*) as total
FROM panther_logs.public.aws_waf --replace with whatever log source you want
WHERE (action = 'BLOCK' AND terminatingRuleId = 'TwoHundredRequestsPerIp') AND p_occurs_since('1 hr')


You can then save that query as a scheduled query to run once every hour.  After that is done, you can set up your scheduled rule to look something like this:
 

def rule(event):
    if event.get("total") > 50000:
        return True
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.