What is the difference between get and deep_get when writing detections in Panther?

QUESTION

What is the difference between get and deep_get?

ANSWER

In a string context, we usually recommend that you use the form of deep_get(event, 'whatever', default='<NO_WHATEVER>'). See below for more information on the differences.

• dictionary.get('thing', 'value-if-not-present') 

  • This call will return None if the thing exists and has value of None

• deep_get(dictionary, 'thing', default='something'

  • this call will return the value of the default= kwarg if the thing exists and has a value of None.

Examples:

• https://github.com/panther-labs/panther-analysis/blob/master/rules/okta_rules/okta_threatinsight_security_threat_detected.py#L33

• https://github.com/panther-labs/panther-analysis/blob/master/rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.py#L12-L13

• https://github.com/panther-labs/panther-analysis/blob/master/rules/slack_rules/slack_user_privilege_escalation.py#L17

• https://github.com/panther-labs/panther-analysis/blob/master/rules/aws_cloudtrail_rules/aws_resource_made_public.py#L79