QUESTION

How do I create a baseline of metrics and then create an alert or scheduled query that can compare metrics from a time window against the baseline to decide when to run the alert? I want to monitor if certain events, like failed logins, exceed a certain threshold.

ANSWER

Set the desired threshold in a Scheduled Query, and then set up a Scheduled Rule based on that query.

To schedule a query, see Panther's documentation: How to create a scheduled query. The query should include a variable that you will use in the Scheduled Rule.

In the example below, we use the variable failed_logins.

SELECT * FROM
(SELECT COUNT(eventType) as failed_logins 
FROM panther_logs.earnin 
WHERE eventType='failed-login' 
AND p_occurs_since('30 days')) 
WHERE failed_logins > 5;

Now that the Scheduled Query has been saved, go to the Detections section in the Panther Console to create a Scheduled Rule. In the Functions and Tests section for this new rule, you can use the variable from your Scheduled Query. This example uses failed_logins

def rule(event):
 if event.get('failed_logins') > 20:
 return True
 return False

def title(event):
 return 'More than 20 failed logins in the last 30 days'