If your organization is leveraging Panther’s out-of-the-box detections and queries to protect and defend against threats in your environment, you’re already ahead of the game. Panther’s detection-as-code approach not only alleviates the pain of traditional SIEMs with hundreds of out-of-the-box detections but also flawlessly provides a deeper look into your organization’s threat landscape across multiple external services with highly scalable solutions to support growing security teams. However, just like everything related to security, there’s always room for improvement. Panther’s flexibility and detection-as-code principles empower organizations to tune and optimize content for their environment.
Content tuning is the process of optimizing your detections and queries to improve their accuracy and efficiency. By fine-tuning your detections, you can reduce the number of false positives and increase the context of true positives, making your incident response process more effective and thereby avoiding alert fatigue.
When it comes to tuning Panther-managed detections and queries, there are a few things to keep in mind:
Before you start tuning any Panther-provided content, it’s important to have a good understanding of the data you’re working with. Take the time to review the logs and other data sources that Panther is analyzing and make sure that you understand what each field represents. This will help you write more accurate and effective queries.
Panther comes with a wide range of built-in detections and queries, enabling security teams to rapidly detect and respond to suspicious activity in SaaS, cloud, network, and host environments. Tuning Panther-provided content is a great starting point on the journey to honing these detection capabilities and tailoring their functionalities specifically for your environment. Leveraging Panther’s built-in unit testing capabilities enables Panther customers to review each detection and test for and reduce false positives.
Below is a newly released Panther-managed detection for Microsoft Azure SignIn events that use a Legacy Authentication Protocol. Based on Microsoft’s analysis, more than 97 percent of credential stuffing attacks use legacy authentication, and more than 99 percent of password spray attacks use legacy authentication protocols. However, an authorized business function may rely on these methods within your organization’s environment. To reduce false positive alerts, simply add the ServicePrincipalName or UserPrincipalName to the KNOWN_EXCEPTIONS allowlist. This guarantees that any SignIn events made by this authorized user or service will not alert the security team, which can be seen on lines 21-22 of the image below.
When writing detection content, it’s important to use the right operators to get the best results. For example, if you’re looking for events that occurred within a certain time frame, using a comparison statement similar to DATEDIFF(HOUR, alert_creation_time, CURRENT_TIMESTAMP) < 24 hours will ensure that all results returned by the query will have occurred within 24 hours of the time this query is run. This will help you view only relevant events within your specified time frame and avoid events that may fall outside the desired range.
For example, one of our Snowflake monitoring queries checks if a user has been granted an admin role:
SELECT
created_on,
role,
grantee_name as granted_to,
granted_by
FROM snowflake.account_usage.grants_to_users
WHERE
created_on is NOT NULL
AND grantee_name is NOT NULL
AND granted_to is NOT NULL
AND role ILIKE '%admin%'
AND deleted_on is NULL
AND DATEDIFF(HOUR, created_on, CURRENT_TIMESTAMP) < 24Code language: SQL (Structured Query Language) (sql)Pro-tip: Adding additional conditional statements to queries can help strengthen your content and narrow returned results to ensure that you’re only spending time on relevant events. Please note in the example above, we utilize the following conditional statement to guarantee admin roles returned by this query have not been deleted and are currently in use by saying:
AND deleted_on is NULL
Once you’ve made changes to your detection content, it’s important to test them thoroughly to ensure they’re working as expected. Be sure to leverage Panther’s built-in unit test capability to test both when an alert should be generated and when it shouldn’t be. It is critical that any test logs be scrubbed of PII or other identifiable/sensitive information, such as IP addresses, account IDs, employee emails, and employee usernames. Once the logs have been properly scrubbed, run your changes against the sample data and review the results carefully. If you’re still encountering false positives or missing true positives, make additional tweaks to your new changes and test them again.
By following these tips, you can improve the accuracy and effectiveness of Panther-managed detections and even apply these practices to your own custom detections, helping you stay one step ahead of potential security threats.
