When the function code of a Panther Rule returns True, the rule triggers an alert. However, Panther Policies seem to do the opposite. What's going on?
Policy code fires an alert when the function returns False
, while Rules fire alerts when their function returns True
. Policies are opposite to rules in this regard.
The function code for a policy asks "Is this resource compliant?" For a policy, returning a value of True
indicates the resource is compliant, and no alert should be sent. Returning a value of False
indicates the resource is non-compliant.
Rules analyze log events to detect suspicious behaviors, so their function code asks "Was this event suspicious?" For a rule, returning a value of True
indicates suspicious activity, which triggers an alert.
For more information about writing policies, see our documentation here, and to learn more about writing rules, see our documentation here.