QUESTION

Does Panther support ignoring certain days of the week for the log source dropoff alarm? For example, can I check to see if a log source hasn't received events for 2 business days, so as to not include Saturday and Sunday?

ANSWER

Panther's log source alarm does not support optionally ignoring weekends. If you are interested in support of this feature, please contact Panther Support to put in a request.

As a workaround, you can replace the log source alarm with a scheduled rule, which has logic to ignore certain days of the week.

The following SQL query will return the latest timestamp for events ingested into a particular log source:

SELECT max(p_event_time) as most_recent_data, p_source_label
FROM panther_views.public.all_logs
WHERE p_source_label = 'YOUR LOG SOURCE NAME'
GROUP BY p_source_label

Then, you can create a Python rule like this:

from datetime import datetime, timedelta, timezone as tz


MAX_LATENCY = 36 # How many (weekday) hours to wait before raising an alert


""" This is a scheduled rule, so 'result' is a row returned by our query. In this specific case,
the query returns only 1 row, with 2 columns: most_recent_data & p_source_label.
"""
def rule(result):
    # Extract the most recent timestamp
    ts = datetime.fromisoformat(result.get('most_recent_data')[:19])


    now = datetime.utcnow()
    hours = get_weekday_hours(ts, now)
    
    # Raise an alert if the latency is more than the maximum allowed value
    return hours > MAX_LATENCY



def title(result):
    ts = datetime.fromisoformat(result.get('most_recent_data')[:19])


    now = datetime.utcnow()
    hours = get_weekday_hours(ts, now)
    return f"Log source [{result.get('p_source_label')}] has not received events in [{hours}] hours!"


""" Calculates the number of weekday hours between two timestamps. Not the most efficient method,
but it's the simplest.
"""
def get_weekday_hours(start, end):
    hours = 0
    ts = start
    while ts < end:
        if ts.weekday() < 5:
            hours += 1
        ts += timedelta(hours=1)
    return hours

Note that the allowed log latency, before creating an alert, is determined by the value of MAX_LATENCY on line 3.