Error: "PantherEvent has no attribute 'deep_walk'" when testing Panther detections with PAT

Last updated: September 3, 2024

Issue

When trying to using panther_analysis_tool (PAT) to test my detections locally, I'm getting the following error:

AttributeError: 'PantherEvent' object has no attribute 'deep_walk'

Resolution

Most likely, one of your dependencies (panther-core) is out of date. To resolve this issue:

  1. (If using a virtual environment): Activate your virtual environment by cd-ing into your Panther repo, then running pipenv shell

  2. Explicitly update panther core by running python3 -m pip install panther-core --upgrade

Cause

The deep_walk function was added to Panther events in panther-core version 0.6.3. If you have an outdated version, then any rules which have syntax like

def rule(event):
    actor = event.deep_walk('parameters', 'actor')
    ...

will cause errors.