Is there a way to change the logic for a standard rule, like the "Admin Role Assigned" rule, for a specific log type?
You can copy, edit, then replace the associated data model for that log type by disabling the old one and then enabling the new one.
Standard rules look at Data Model values for each log type to determine if the logic applies. In the "Admin Role Assigned" rule, we can see that we check event_type
, which is a UDM field defined on a per-log-type basis. Data Models for log types that are included in the standard rules can be found in the data_models folder in the panther-analysis repo.
import panther_event_type_helpers as event_type
def rule(event):
# filter events on unified data model field
return event.udm("event_type") == event_type.ADMIN_ROLE_ASSIGNED