QUESTION

How do I create a detection in Panther based on the number of results returned from a data lake query? For example, we want to be alerted when a WAF Rule has generated a high volume of logs which would indicate a DDoS attack is underway.

ANSWER

To do this you will have to create a scheduled query and a schedule rule based on that query.  Here is an example of what that scheduled query could look like:

SELECT count(*) as total
FROM panther_logs.public.aws_waf --replace with whatever log source you want
WHERE (action = 'BLOCK' AND terminatingRuleId = 'TwoHundredRequestsPerIp') AND p_occurs_since('1 hr')


You can then save that query as a scheduled query to run once every hour.  After that is done, you can set up your scheduled rule to look something like this:
 

def rule(event):
    if event.get("total") > 50000:
        return True