Is there a way to create and update a baseline of metrics and then create an alert or scheduled query in Panther that can compare metrics from a time window against the baseline to decide if a metric is off the mean or median for that metric?
We recommend creating a scheduled search and then creating a scheduled rule that will be triggered each time your scheduled query runs. This allows you to capture the baseline using Python in the scheduled query, and create alerts from the data that your scheduled query returns.
Here is an example of a scheduled query combined with a scheduled rule:
Scheduled Query
SELECT * FROM
(SELECT COUNT(eventType) as failed_logins
FROM panther_logs.public.<example_log_type>
WHERE eventType='failed-login'
AND p_occurs_since('30 days'))
WHERE failed_logins > 5;
Rule function
def rule(event):
if event.get('failed_logins') > 5:
return True
return False
def title(event):
return 'More than 5 failed logins in the last 30 days'