QUESTION

Can I dynamically convert an alert into a signal in Panther based on specific conditions within the rule logic?

ANSWER

It is not possible to convert an alert into a signal. However, every alert also generates a signal. This means you can use the alert for Correlation Rules or find the results in the signals database in either case.

If you're trying to reduce alert noise, you can create a dynamic alert destination that generates the alert without delivering it anywhere:

def destinations(event):
  if "user x" is_doing "action b":
    return []
  return None

• Returning an empty list ([]) means "don't deliver this anywhere" and will prevent the alert from being delivered to the default destinations.

• Returning None means "deliver this to wherever it would be delivered by default."

If you want to automatically close the alert and prevent it from appearing in open alert counts, you can set its severity to INFO using a custom severity function. Here's how:

def severity(event):
  if "user x" is_doing "action b":
    return 'INFO'
  return 'DEFAULT'

INFO severity alerts are automatically closed, so they don't show up in counts of open alerts or unassigned alerts.