QUESTION

When an event passes through the detection engine, do the auxiliary functions, like title, dedup, and alert_context, follow a particular order of execution?

ANSWER

Panther will always execute the rule or policy functions first, but after that, there is no guaranteed order of execution. While you may notice some functions are reliably executed before others, there is no guarantee that this behaviour will persist, and changes to execution order can happen at any time.