QUESTION

When the function code of a Panther Rule returns True, the rule triggers an alert. However, Panther Policies seem to do the opposite. What's going on?

ANSWER

Policy code fires an alert when the function returns False, while Rules fire alerts when their function returns True. Policies are opposite to rules in this regard.

The function code for a policy asks "Is this resource compliant?" For a policy, returning a value of True indicates the resource is compliant, and no alert should be sent. Returning a value of False indicates the resource is non-compliant.

Rules analyze log events to detect suspicious behaviors, so their function code asks "Was this event suspicious?" For a rule, returning a value of True indicates suspicious activity, which triggers an alert.

For more information about writing policies, see our documentation here, and to learn more about writing rules, see our documentation here.