How can I prevent Panther from persisting my rule's global variable between log events?
I am writing tests for panther_analysis_tool that make use of python dataclasses and global variables. PAT does not reset the environment between logs in the YML file. Is this expected?
This is expected behavior because of how the rule engine works; we pass events in a stream through a python process, and global variables are preserved across the lifetime of the process.
You cannot disable it, but you can prevent this behaviour by assigning the default values for your global variables in the rule
function, instead of at the top of your module.
Instead of doing this:
global GLOBAL_VAR
GLOBAL_VAR = "mydefault"
def rule(event):
...
You could do this:
global GLOBAL_VAR
def rule(event):
GLOBAL_VAR = "mydefault"
...
When you define it in the rule, you manually reset the environment for each event the rule processes. If you’re using a linter, you may need to use some form of override to prevent issues that may occur while using this method.