I want to share some variables across my functions within my Python detection code. How can I define them so that changes made in one function persist into the next?
Panther supports defining variables that are scoped to the lifetime of the detection's invocation. To do so, define them outside the functions, and use the global keyword inside the functions, like the example below:
my_global = "foo" # Create an invocation-scoped variable, and set it to foo
def rule(event):
global my_global # Tells Panther that this is the same `my_global` as above
my_global = "bar" # Overwrite the value we initially defined
return True
def title(event):
global my_global # Again, we tell panther to use the global variable
return my_global # Returns "bar", since we overwrote "foo" in the rule() function
There are a few caveats:
The global
variables here are scoped to the lifetime of the invocation, meaning the values may persist across different events.
If your detection logic requires the global variable to always start with some default value, make sure you assign that value near the beginning of your rule
function.
If you forget to use the global
keyword in your function, you'll instead create a new variable to use instead of the global one you defined earlier.
This can be a common source of confusion. When troubleshooting, ensure that you've properly implemented the global
keyword.