QUESTION

Is it possible to have both a sequence and a group in one correlation rule in Panther?

ANSWER

Currently, Panther does not support combining sequence and group within the same correlation rule. Sequences and groups are two distinct types of correlation rules, and they cannot be used simultaneously in a single rule definition.

If you are interested in support for this feature, please contact Panther Support to submit a feature request.

Workaround

As a workaround, you can create nested correlation rules to achieve a similar effect:

1. Create a sequence correlation rule as the "parent" rule.

2. Create a separate group correlation rule as a "child" rule.

3. Reference the "child" group correlation rule within the "parent" sequence correlation rule.

This approach allows you to define a sequence of events followed by a group of events that can occur in any order, effectively combining both sequence and group behaviors in your detection logic.