When an event passes through the detection engine, do the auxiliary functions, like title
, dedup
, and alert_context
, follow a particular order of execution?
Panther will always execute the rule
or policy
functions first, but after that, there is no guaranteed order of execution. While you may notice some functions are reliably executed before others, there is no guarantee that this behaviour will persist, and changes to execution order can happen at any time.