QUESTION

How do I create a detection for when some event A is followed by some event B?

ANSWER

In the example Python rule below, an alert for event B will be triggered when event A has occurred recently (within the specified time span). You can include additional logic in any of these sections to identify specific attributes.

from panther_oss_helpers import put_string_set, get_string_set

# How far apart can Events A and B be? (In minutes)
TIMESPAN = 10

def rule(event):
    # Logic Path 1: Record occurrences of Event A
    if event.get('type') == 'Event A':
        # Store a record of this
        key = 'my_rule_id' + event.get('user_id')
        put_string_set(key, 'event A happened.', TIMESPAN * 60)
        # Return false - don't raise an alert for Event A alone
        return False

    # Logic Path 2: If Event B happens
    if event.get('type') == 'Event B':
        # Check if Event A happened or not
        key = 'my_rule_id' + event.get('user_id')
        if get_string_set(key, force_ttl_check=True):
            # This means Event A happened recently
            return True

    # By default, return False
    return False