How do I create a detection for when some event A is followed by some event B?
In the example Python rule below, an alert for event B will be triggered when event A has occurred recently (within the specified time span). You can include additional logic in any of these sections to identify specific attributes.
from panther_oss_helpers import put_string_set, get_string_set
# How far apart can Events A and B be? (In minutes)
TIMESPAN = 10
def rule(event):
# Logic Path 1: Record occurrences of Event A
if event.get('type') == 'Event A':
# Store a record of this
key = 'my_rule_id' + event.get('user_id')
put_string_set(key, 'event A happened.', TIMESPAN * 60)
# Return false - don't raise an alert for Event A alone
return False
# Logic Path 2: If Event B happens
if event.get('type') == 'Event B':
# Check if Event A happened or not
key = 'my_rule_id' + event.get('user_id')
if get_string_set(key, force_ttl_check=True):
# This means Event A happened recently
return True
# By default, return False
return False