Detection Features

Articles

• Is there a way to list all the detections in Panther that weren't created in the Panther Console?
• Where in my Panther code repository can I store my YAML-only detections?
• How deduplication and threshold work in Panther
• How can I export the mappings from Panther’s MITRE ATT&CK page?
• Comparing a previous event with a current event to create a Panther detection
• How do I set up separate destinations for detections with the same log type?
• How do I resolve the error "only one LogType may be specified per DataModel" while uploading a Data Model to Panther?
• How to measure performance of Panther detections
• Is it possible to include nested fields in my Panther detection filters?
• How do I resolve Data Replay time range errors in my Panther Console?
• How do I debug a slow performance in the cache or panther-kv-store?
• What is the difference between get and deep_get when writing detections in Panther?
• How to test with mocks when a Panther detection sorts cached values
• How do I override my Panther detection's default severity?
• What's the meaning of each enriched timestamp field in my alerts on Panther?
• How to create a link to Search from a Panther detection and include it in alerts
• How to identify patterns across events within a specified time window in a Panther detection
• When is it better to use Simple Detections instead of Python for Panther detections?
• In a Panther detection, does set_key_expiration immediately clear the cache once the key is expired?
• Accessing event data fields with a slash ( / ) in the name, using Panther Simple Detections
• What does the title function return if there are no changes in its body, or if the function is not included in a Panther detection?
• How to open a Panther Console tab in a new browser tab
• What is the recommended way to do exception handling with Panther Detections?
• Why is oss helpers not accessible when running a Data Replay in Panther?
• How can I write unit tests for Panther detections that use relative time?
• How can I share global data between Python functions in my Panther detection code?
• How to troubleshoot ModuleNotFound error in Panther detection
• How to prevent Panther from persisting my rule's global variable between log events
• How to resolve "PantherError: a data model hasn't been specified for this log type".
• Why do I receive rule import errors after removing helper functions from my Panther detection?
• Why aren't my Global Helper changes reflected in Panther?
• Can I export a list of my alerts from Panther?
• Can I parse a specific field in my JSON log with a fastmatch or regex log parser in Panther?
• How do I use deep_get() to get a value from a nested array?
• How do I return an array of values from a Mock in a Panther detection?
• How to write unit tests for stateful Panther detections
• How can I setup a Panther detection such that each event gets sent as its own separate alert?
• How can I access my own AWS resources from my Python Detections? Can I store secrets in Panther?
• How can I create a detection Inline Filter on a field with dot notation?
• Is there a time or size limit on the Panther Data Replay feature?
• Can we disable Detection Packs from the Panther Console if the "We use the Panther Analysis Tool to manage our detections" setting is enabled?
• How can I control Panther's deduplication period from within my detection code?
• What’s the best way for me to customize Panther-managed global helper functions?
• Can I track the revision history of a rule in the Panther Console?
• Can I use multiple AWS roles for accessing secrets from Panther detections?
• Data Replay for 15GB and 20GB is taking a long time to complete in Panther
• Troubleshooting guide for Panther Detection Inline Filters
• Can I use a list in a Panther detection to send alerts to multiple destinations?
• Can I use breakpoints and other Python debug tools on Panther detection functions and tests?
• Can you have two different fields going to the same Data Model field in Panther?
• What does Managed or Unmanaged mean for a detection in the Panther Console?
• Can I view the data stored in the Panther KV cache?
• Does Panther allow showing MITRE coverage for an arbitrary grouping of detections?
• Why does Data Replay keep failing on alert simulation in Panther?
• Do I need to request access to DynamoDB in order to use the Panther-provided cache helper functions?
• Why is my PAT uploaded detection not appearing in the Destination Override field?
• Is there an advantage to using filters instead of code in Panther detections?
• Maximum number of minutes to use for DedupPeriodMinutes in a Panther detection
• How do I create a detection rule for domain IOCs using p_any_domain_names in Panther?
• Can Panther filter detections based on enrichment data?
• How do I include a detailed description with a Panther alert?
• Why is the Data Replay section not visible for my Detection?
• Why is my Panther detection triggering more alerts than specified in my deduplication period and threshold setup?
• Do Panther's auxiliary functions get called in any specific order?
• How to create scheduled tests for Panther detections
• Are there any storage or size limitations to the strings that I can store in a String Set in Panther?
• Can the alert_context function in Panther return a list of values or JSON data?
• How does Panther handle alert deduplication if rules share the same dedup string and dedup period?
• What's the difference between a Fail and an Error error state in Panther's detection unit testing?
• Can I modify a Panther-managed Data Model?
• Why are the MITRE technique statuses "Partially Covered" in Panther?
• Can I return a detection triggering event in the alert_context function?
• How can I use boto3 in Panther detections?
• Panther.Detection.Deleted fires with a broken AlertContext
• In a detection test, is it possible to mock the response of a helper function that is not directly called in my detection code?
• My Panther schema is not appearing as a selection on my detection configuration
• What fields are used for deduplicating repeated alerts in Panther?
• Can I omit unused fields from my detection unit test?
• Can I use pytest or other testing frameworks to test helpers used in Panther?
• Allowing Panther detection code to access metadata about that detection
• Does Panther support the ability to assign users from within a rule detection?
• How can I rerun a rule in Panther?
• How do I use SummaryAttributes in Panther correlation rules?
• What is the default alert_context if I don't have an alert_context function in my Panther detection?
• How do I resolve "read timeout on endpoint URL" during a bulk upload to Panther?
• Can I manually edit data stored in the Panther KV Cache?
• How do I capture stdout in Panther detections?
• List and dict type comparisons aren't working in my Panther detection
• What's the difference between p_udm and event.udm in Panther?
• Does DynamoDB in Panther have a default TTL for its cache when one is not explicitly set?
• My Panther analysis cache was not cleared by the set_key_expiration function
• Are Data Model field name paths in Panther case sensitive?
• What happens when I change the deduplication string of a Panther rule?
• Retrieving nested data values with deep_get for a Panther Detection
• Do summary attributes get stored in the panther_rule_matches database view in Panther?
• How do I set up my Panther alert to be dynamically generated in order to provide the most context?
• Can I share String Sets across different detections in Panther?