QUESTION

Does Panther support boolean logic operators (OR/XOR) in correlation rule sequences?

For example, a rule where eventA:field1=(eventB:field1 XOR eventC:field1).

ANSWER

Panther does not support direct boolean logic operators (OR/XOR) within correlation rule sequences. If you are interested in support of this feature, please contact Panther Support to put in a request.

As a workaround, you can create two nested correlation rules to achieve similar functionality:

1. Create a Group correlation rule (CR1) that contains the events you want to combine with OR logic (e.g., eventB OR eventC)

2. Create a Sequence correlation rule (CR2) that uses the first rule as a component (e.g., eventA FOLLOWED BY CR1)