QUESTION

How do I create a simple detection rule to alert on domain IOCs without having to create a custom schema or upload files? Can I use the p_any_domain_names field to detect malicious domains across all log types?

ANSWER

You can create a helper or new detection that checks the p_any_domain_names indicator field, assuming that your schema lists the field that you're looking to pull from as an indicator that feeds into that field.

Step 1: Ensure your schema includes domain indicators

Make sure your schema lists the field you want to pull from as an indicator that feeds into p_any_domain_names. The indicators that feed into p_any_domain_names are: domain, hostname, net_addr, and url.

Example schema:

fields:
  - name: domainname
    type: string
    indicators:
      - domain

Step 2: Create a detection rule

Create a new detection rule with your list of malicious domains:

BAD_DOMAINS = ["bad.com", "malicious.example"]

def rule(event):
  for domain in BAD_DOMAINS:
    if any([d for d in event.get("p_any_domain_names", default=[]) if d == domain]):
      return True
  return False

Step 3: Apply the rule across all log types

To run this rule across all log types, add all schemas to your rule configuration. You can get a list of all Panther-managed schemas using the command pantherlog list-schemas.

Important: Always use event.get("p_any_domain_names", default=[]) to prevent the rule from failing when the schema doesn't contain any domains and the key doesn't exist.

Alternative: Using lookup tables for large IOC lists

If you have a large number of IOCs, consider creating a lookup table instead of hardcoding domains in the rule. This approach is more scalable and easier to maintain. Create a separate detection rule that references your lookup table rather than modifying existing rules.