All Posts

The Benefits of Using Python to Write SIEM Detections

Brandon Min

Over the last decade, businesses and organizations have rapidly adopted cloud infrastructures and remote working arrangements, resulting in more security data than ever before. As the amount of data has evolved, so too has the need for powerful, flexible queries to accurately and quickly identify potential threats. 

Historically, security teams have utilized legacy Security Information and Event Management (SIEM) tools with proprietary coding languages to create detections and protect their organizations. In contrast, some modern SIEMs allow you to write detections with open-source languages like Python, which can vastly improve the speed, power, and cost-efficiency of your security operations.

In this blog, we’re covering some of the challenges of proprietary SIEM coding languages, ways to optimize threat detection with Python-based rules, and the impacts on mean-time-to-detection (MTTD) and overall SIEM costs.

Proprietary SIEM Coding Languages 

Before getting into Python, let’s dig into how the industry has been centered around proprietary coding languages as the backbone of its threat detection capabilities. 

For years, legacy SIEM solutions have offered a number of operation challenges for a security team. They’re a handful to onboard, take massive teams to operate, and cost a fortune with mediocre results. One of the key pillars contributing to these challenges is the usage of proprietary SIEM languages within the tools. Let’s dig into the specifics of these challenges in more detail. 

First off, coding languages created for SIEM specifically do not possess the expressiveness of open-source languages. This can lead to less coverage of your environment, simply because the proprietary code can not express the ideas that security engineers want to convey. 

Second, proprietary languages lack code templates, modules, and 3rd-party libraries that support code reusability. This typically requires security engineers to reinvent the wheel for each new set of detections. 

Lastly, proprietary SIEM languages are constrained by a lack of universal data models. This presents difficulties for data structure and configurations that can help security teams standardize coding fields to search over all log types at once. 

Needless to say, it’s no wonder organizations have been frustrated with legacy SIEM tools, but with modern platforms, Python offers an easier, faster, and more robust way to create, modify, test, and deploy new detections. 

Python in Modern SIEM Solutions

Instead of proprietary languages, Modern SIEM platforms typically give security teams the flexibility and speed to write and deploy detections in hours instead of weeks and at a fraction of the cost of legacy SIEM solutions. Python provides advantages to security teams by: 

  • Offering simple code reuse through modules and helper functions
  • Creating easier pathways to hire more affordable talent 
  • Leveraging data models for mapping common detections to different logging sources

These advantages help a security team move fast while providing a business with incredible cost savings that far outweigh that of legacy SIEM solutions. Detection development time is reduced from weeks to hours with the usage of simple helper functions. This allows engineers to create libraries of common Python functions and pull them into any new detection. 

Another payoff is Python in a SIEM solution offers a much larger talent pool to hire from. Python is one of the top 3 most popular coding languages in the world with over 50% of developers stating they’ve had some exposure to it. The average salary for a Python developer is around $80,000 whereas a proprietary language coder may warrant a salary of at least $150,000. With it being easier to find talent in-house, Python also eliminates the need for 3rd-party services, reducing the total cost of SIEM operations in a security budget. In a recent case study from Panther, Guild Education was able to reduce its security bill by 40% with the help of Python-based detections. 

Ultimately, the benefits of Python can immediately outweigh any proprietary language SIEM offering. This is why Panther has opted to leverage Python as its primary coding language. Integrating a powerful and flexible coding base with the real-time analysis of Panther’s detection engine enables our platform to modernize the threat detection capabilities of security teams. 

Using Python in Panther SIEM

Panther is a modern SIEM built for security operations at scale with Python as its backbone. Teams can get started in less than 10 minutes with direct API integrations for the industry’s most common log sources, and we also offer pre-built packs of detection rules. Once logging from a cloud or on-premises source is configured, Panther analyzes data with these Python-based rules in real-time to provide instant feedback.

A simple Boolean function defines a Python detection rule. If it returns true, it will fire an alert, and if not, it’ll pass over to the next detection. There are supplementary functions that can also be used to provide dynamic alert context to titles, descriptions, severity, and more. 

## Required Function
# The logic for sending an alert, return True = Alert, False = Do not Alert
def rule(event):
    if event.get("Something"):
        return True
    return False

All detections can be customized or modified with Python and come with provided helper functions out-of-the-box. Rules can be written both in the console UI as well as locally within a Continuous Integration/Continous Development (CI/CD) pipeline. This is typically leveraged with the Panther Github repository, allowing security teams to manage detections similar to that of software engineers by reviewing code changes, modifying and reusing existing code, and owning agile workflows. All of this is made possible with Python as the centerpiece.

Let’s say an organization onboarded a new Single Sign On tool to house employee data. The security team is tasked with building a detection to alert against potential Brute Force and DDoS attacks against their new system. 

The team would begin by sending logs from the SSO tool to Panther. This can either be done via direct API integration or by transferring logs to a supported cloud data transport source such as AWS S3, SQS, CloudWatch, or GCP Cloud Storage.

With logs streaming into Panther, there are several ways we can build a Python detection: 

  1. Reuse the detection out-of-the-box and slightly modify it to fit our new log source
  2. Create a data model to map the new log source to the existing pre-built detection
  3. Pull in new helper functions or 3rd party libraries to create a brand new detection from scratch

With Panther, a security team can build a new detection with any of these tactics in just a few hours.

Get Started

By enabling Python-based detections, Panther has flipped the script on legacy SIEM solutions. Our platform provides organizations with more detection coverage, development efficiency, and accuracy with new alerts, and can also lead to significant reductions in total cost of ownership. You can request a demo to get started with Panther or take a product tour to get a feel for writing detections.