In a rule, you might check the type of a particular data field within the event, and find that list- and dic-type comparisons are not working as expected.
type(myList) != list
type(myDict) != dict
To resolve this issue, add the following line to the beginning of your rule function:
def rule(event):
event = event.to_dict()
This issue occurs because Panther internally converts lists and dicts into an immutable form, to prevent data changing between rule functions. Most of the time this is seamless, but when relaying on the types of data in your event fields, you can run into issues.
The to_dict
function on all event objects returns a deep copy of the event in a mutable form, using native Python data types.