Issue

In Panther, I created a Derived Detection. Both the Base Detection and Derived Detection define an Inline Filter. The Inline Filter from the Base Detection is not being applied to events processed by the Derived Detection.

Resolution

To apply the Base Detection's Inline Filter on the Derived Detection:

• Add its logic to the Inline Filter on the Derived Detection.

Cause

When you overwrite a metadata or alert field in a Derived Detection, it completely replaces the field's value it inherited from the Base Detection. This means that if both a Base Detection and Derived Detection define an Inline Filter, only the Derived Detection's Inline Filter will be applied.

Learn more in the Derived Detections documentation.