Security teams that choose Panther for detection and response are empowered to analyze data from across their entire environment, not just vendor-supported sources. Upon ingestion, Panther normalizes logs and enables you to detect suspicious activity with Python. When Panther detects something, a record gets created in the data lake. Then, that data can be queried with SQL to find out how often that something occurred, and the results can be passed through Panther’s rules engine to correlate activity and trigger real-time alerts.
Why are real-time alerts important?
Security teams often expect specific actions to occur, and, individually, those actions may not be worth getting alerted about. But what happens if that modest action starts to occur with more frequency? For example, say a user gets added to a ‘Bypass MFA’ group more than once in a given month. An employee may forget their phone at home. So, they call up IT and ask them to be placed in that ‘Bypass MFA’ group for the day. IT may have a system in place to track this manually, but what happens if usernames are being added and IT is unaware?
With Panther, security teams can build alerts for this kind of behavior. Here’s how.
Create “silent” info-level alerts to track activity
In Panther, you can write a real-time detection that analyzes your IDP logs and triggers an “info” level alert each time a user is placed in the ‘Bypass MFA’ group. An example function looks like this:
def rule(event): # Return true when a user is added to the Bypass MFA Group group = event.get("target", None) group = group.get("displayName", None) return ( event.get("eventtype", None) == "group.user_membership.add" and group == "Bypass MFA Group" ) def title(event): user = event.get("target", None) user = user.get("displayName", None) return event.get("actor", None).get("displayName") + ' added ' + user + ' to the Bypass MFA group.'
Now, assume these info-level alerts go to a destination that doesn’t spam our team, for example, a muted Slack channel. Any time an alert is created by Panther–even if there’s no associated destination–a record of the alert and all of the associated metadata is stored in the data lake, which can then be used to build more sophisticated alerts.
Schedule queries to analyze alert activity
Next, using Panther’s Data Explorer, we write and schedule a SQL query against the ‘rule_matches’ table (essentially a dedicated table that stores alert data) to count the number of times each username has been added to the “Bypass MFA” group over the last 30 days. An example query looks like this:
select count(target.displayName) AS "displayName", target.displayName as "user_display_name" from panther_rule_matches.public.okta_systemlog where p_occurs_since('4 weeks') and eventtype = 'group.user_membership.add' and target.displayName = 'Bypass MFA Group' group by target.displayName limit 100;
Trigger high-severity alerts when activity passes a threshold
Finally, we create a scheduled detection that analyzes the results of the query and, when triggered, creates a high-severity alert for our team to triage. In this rule, we create a function to flag usernames added to the “MFA Bypass” group more than twice. An example function looks like this:
def rule(event): if event.get("displayname", None) > 2: return True def title(event): return event.get("user_display_name", None) + " has been added to the Bypass MFA group more than twice this month."
With Panther, security teams can build alerts for this kind of behavior. Check out this mini-demo on how.
Panther is highly flexible and can be customized to trigger alerts whenever you prefer, using whatever data your team finds interesting. The example above shows how you can detect “low and slow” type threats across your environment with real-time alerts, low-level severities, and scheduled analysis against historical data. With these concepts and tactics in hand, your security team is equipped to safeguard your organization against sophisticated threats that may not even be on your radar… yet!