QUESTION

Is there a way to create and update a baseline of metrics and then create an alert or scheduled query in Panther that can compare metrics from a time window against the baseline to decide if a metric is off the mean or median for that metric?

ANSWER

We recommend creating a scheduled search and then creating a scheduled rule that will be triggered each time your scheduled query runs. This allows you to capture the baseline using Python in the scheduled query, and create alerts from the data that your scheduled query returns.

Here is an example of a scheduled query combined with a scheduled rule:

Scheduled Query

SELECT * FROM
(SELECT COUNT(eventType) as failed_logins 
FROM panther_logs.public.<example_log_type>
WHERE eventType='failed-login' 
AND p_occurs_since('30 days')) 
WHERE failed_logins > 5;

Rule function

def rule(event):
    if event.get('failed_logins') > 5:
        return True
    return False

def title(event):
    return 'More than 5 failed logins in the last 30 days'