Comparing a previous event with a current event to create a Panther detection

QUESTION

How do I use information from a previous event to compare with the current event and create a detection in Panther? How does storing information to compare with a later event in a detection work?

ANSWER

When writing rules in Python, you can store data from your current event in a key:value pair for retrieval when the next event is parsed through your rule. This is called caching, or sometimes stateful detection writing. You can read more about caching in our docs.