I have some general detection logic that can apply to multiple log types. Can I craft a single detection which can work against log events from multiple log types?
Yes you can! Take note of the information below to learn more about crafting generalized detections.
The process of attaching the various log sources differs, depending on whether you work out of the Panther Console, or use a CI/CD workflow:
From within the Panther Console, you can easily add extra log types during rule creation by selecting more than one log type from the selection box.
When uploading detections via Panther Analysis Tool, you can specify multiple values in the LogTypes field. For example:
AnalysisType: rule
...
LogTypes:
- Crowdstrike.FDREvent
- AWS.VPCDns
- CiscoUmbrella.DNS
When writing a detection for multiple log types, you need to be careful not to rely on fields which are present in some, but not all, of the logs the rule will be used with. There are some tips for making sure your logic applies to logs of all types:
1. Use Panther's Standard Fields
Panther provides a set of standardized fields you can use in your detections. Some pertain to the metadata of the log event, while others provide shortcuts to specific event content. These fields should be present across all Panther-managed log types, and can be added to custom log types via the use of indicators.
2. Use Data Models
Data Models provide a consistent mapping, which allows you to access specific information across different log types, using the same key. Panther provides Data Models for all of our managed log types, and you can create Data Models for your own custom log types as well.
Data Models can can be leveraged within your code using the event object's udm() function. Additionally, they can also be used to access enrichment data, without knowing the exact log type of the event.