Issue

When trying to run a detection in Panther, the following error occurs:

New rule error: AttributeError("'NoneType' object has no attribute 'lower'")
clipboard_ee98527e10f4d8698010b6c11416b40c4.png

Resolution

To resolve this issue, make sure that the key(s) used in the detection function do not return None. When calling the function, set a default value of an empty string "" for the key(s) in question. This can prevent potential errors by ensuring that if the specified key(s) are not found in the nested data structure, the function will return the default value instead of None.

For example, here is a detection function causing an error:

if deep_get(event, "properties", "riskState").lower() in [ "dismissed", "remediated", ]

Add a default value to "riskState" like this:

if deep_get(event, "properties", "riskState", default="").lower() in ["dismissed", "remediated"]

Please contact Panther Support as the Panther repository may require a code update.
 

However, if you've already set a default value and event.get still returns None, it's important to review how you are extracting strings from the event.

Consider these scenarios:

In  [1]: event = {'foo': 'bar', 'thing': None}

In  [2]: type(event.get('thing') or "")
Out [2]: str

In  [3]: type(event.get('thing', ""))
Out [3]: NoneType

We recommend using scenario [2] as the "safest" way to extract a string from the event.

Cause

The issue can occur when the key(s) used in the detection function do not exist within the nested dictionary structure. In such cases, the function returns None by default. The .lower() method is subsequently applied to this potentially None value. Attempting to use .lower() on None triggers a NoneType error because you cannot apply string methods to a None object. By assigning a default value, you ensure that even if the specified key(s) are not found in the nested data structure, the function will return the default value (typically an empty string) instead of None. This allows you to safely apply .lower() to the result without encountering errors.