Rules

Articles

• Can I make an external enrichment API call within a Panther detection instead of using a custom enrichment?
• Why did a large number of alerts trigger at the same time from Panther?
• Why can't I find the detection "AWS Modify Cloud Compute Infrastructure" in the Panther Console?
• How can I write a Panther detection to alert me when a deactivated Okta user tries to log in?
• Why is my Detection returning the Rule ID instead of my title function output?
• How to Disable Base Rules When Uploading Derived Rules in Panther Using the Panther Analysis Tool
• Can I combine sequence and group in one correlation rule?
• Troubleshooting Correlation Rules in Panther
• How do I store and surface a list of values across multiple events in Panther threshold rules?
• Is there a place where I can view Panther detection examples?
• Does Panther offer out-of-the-box detections for Windows Event Logs?
• Panther-managed rule "Impossible Travel for Login Action" generates alerts for logins from same city
• Is there a CSV file containing all Panther detections and their details?
• Do users often have a dev and prod environment for testing Panther Detections?
• Why is my Panther detection is returning a "'NoneType' object is not iterable" error?
• What is the reasoning behind the Panther detection, Okta User MFA Factor Suspend?
• Automatically convert a Simple Rule to the corresponding Python rule code in Panther
• How to resolve "Client error: an error occured when calling the UpdateItem operation" in Panther detection
• Does Panther's detection engine invoke rules serially for each event?
• Does Panther have a global helper to check if an IP is a private address?
• "AttributeError("'NoneType' object has no attribute 'lower'")" when running detection in Panther
• How can I create a detection in Panther based on an EC2 event and retrieve security group attributes?
• Why isn't the Inline Filter from my Base Detection applied on my Derived Detection in Panther?
• What options are available for managing detections in Panther?
• Why do I see "The associated rule has been deleted" in Panther?
• How can I delete data from the Panther KV cache?
• How do I check if my Panther rules are working?
• How can I get a list of all Panther detections that triggered an alert to Slackbot within a specific timeframe?
• How frequently should I update Detection Packs in the Panther Console?
• "(ThrottlingException) when calling the UpdateItem operation" error in Panther detection
• Getting the error message "Bulk upload failed to update an analysis item" when uploading a rule via the Bulk Uploader in Panther
• (CI/CD) Can I write my Panther detection tests in a different file than the main configuration?
• Can I convert detections from third-party tools into Panther detections?
• Panther detection editor cursor shows space to the right of where it actually is
• Do Panther correlation rules support boolean logic?
• Error "Cannot save an enabled rule with failing unit tests" when trying to add a rule filter to a Panther-managed rule
• Does Panther allow multiple log types for one detection?
• How do I query the alerts that matched a Panther rule in the API?
• Can I mock API calls made from a decorator function in Panther detection code?
• Testing Correlation Rules with Panther Analysis Tool in Panther
• What is the syntax for dedup period in Panther?
• Why is my Detection alerting on PANTHERACCOUNTADMIN?
• Does Panther support the detection of the absence of an event before or after another event?
• How can I see the severity output of my Panther detection?
• "TypeError: unsupported operand type(s)" error when testing a Panther-managed detection
• Do Panther's real-time rules or scheduled rules require more computing power?
• How to troubleshoot Okta Impossible Travel for Login Action alerts from PantherHow to troubleshoot Okta Impossible Travel for Login Action alerts from Panther
• Does Panther offer out-of-the-box detections to detect sensitive data in logs?
• Does Panther offer out-of-the-box detections designed for Workday logs?
• Error message "Input: server timeout: please try again" while updating a detection in Panther
• If I delete a detection, can I still access the alerts/matched events?
• How do I resolve the Rule Testing error "ResourceNotFoundException" in Panther?
• Is there a way to specify the destination in a Panther detection's YML file and in Simple Detections?
• How to check which detections are deployed in the Panther Console
• Does Panther support multi-event correlation?
• How does Panther handle errors on code and Rule exceptions?
• How do I create a detection for when event A is followed by event B?
• How to fix Panther "external sharing" detection that fires alerts about internal activity
• How do I remove deprecated Panther-managed rules from my UI?
• Why do I see "Couldn't load your detections; Request timed out" in the Panther Console?
• How to resolve Panther rule error "TypeError("method" object is not subscriptable")
• Does Panther's GHAS Change detection account for archived repositories?
• Can I convert Sigma rules to use in Panther?
• How can I filter a Panther rule using an allow list or a deny list?
• Where can I find a list of all detections that Panther provides out of the box?
• Are there VS Code extensions available to support Panther detection development?
• Can I use Python in a Derived Detection in Panther?
• Can I match on multiple event keys in Panther correlation rules?
• Is Panther's deduplication period setting still enforced if the detection has a dedup() function?
• Is there a Panther managed detection to identify elevated admin access in Microsoft 365 logs?