How do I create a baseline of metrics and then create an alert or scheduled query that can compare metrics from a time window against the baseline to decide when to run the alert? I want to monitor if certain events, like failed logins, exceed a certain threshold.
Set the desired threshold in a Scheduled Query, and then set up a Scheduled Rule based on that query.
To schedule a query, see Panther's documentation: How to create a scheduled query. The query should include a variable that you will use in the Scheduled Rule.
In the example below, we use the variable failed_logins
.
SELECT * FROM
(SELECT COUNT(eventType) as failed_logins
FROM panther_logs.earnin
WHERE eventType='failed-login'
AND p_occurs_since('30 days'))
WHERE failed_logins > 5;
Now that the Scheduled Query has been saved, go to the Detections section in the Panther Console to create a Scheduled Rule. In the Functions and Tests section for this new rule, you can use the variable from your Scheduled Query. This example uses failed_logins
:
def rule(event):
if event.get('failed_logins') > 20:
return True
return False
def title(event):
return 'More than 20 failed logins in the last 30 days'