Alert Field Overrides
Overrides provide flexible, programmatically customizable alerts that allow users to tailor and fine-tune alerts.
In addition to the rule, title, and dedup functions, Rules can also contain the following functions to control the routing and alerting of detections.
Similarly, these functions take an argument of the currently processed event.
Any optional functions listed below left undefined will default to the rule metadata.
Referencing destinations was made available in v1.16 and newer versions.
Function | Details | Expected Return | Example |
| Generates a tailored Note that | String (ENUM) INFO LOW MEDIUM HIGH CRITICAL | "Info" |
| Generates a tailored | String | "Description" |
| Generates a tailored | String | "Reference" |
| Generates a tailored | String | "Runbook" |
| Used to override all other fields used for alert routing. Empty lists are used for alert suppression. | List [String] Destination Name | ["Main Slack"] |
Versions prior to v1.16 require destinations to return the destinations
To get the UUID of a detection:
Navigate to Settings > Destinations
Click on the name of the target destination
Extract the UUID from the current page URL
e.g.
https[:]//XX.AWS_REGION.elb.amazonaws.com/settings/destinations/01234567-1edf-4edb-8f5b-0123456789a/edit/
Result UUID: 01234567-1edf-4edb-8f5b-0123456789a
For example, the functions below can be used to fine-tune a detection:
HIGH_PRIORITY_REGIONS = ['us-east-1', 'eu-west-1']​# This rule applies to S3 Server Access Logsdef rule(event):if event.get('bucket') not in {'my-set-of-authenticated-buckets'}:return Falsereturn 'requester' not in event​# This rule groups alert events by the bucket namedef dedup(event):return event.get('bucket')​# Alerts will have a title like `Unauthenticated Access to S3 Bucket my-super-secret-data`def title(event):return 'Unauthenticated Access to S3 Bucket {}'.format(event.get('bucket'))​# Alert context will contain the bucket name and the requester informationdef alert_context(event):return {'bucket': event.get('bucket'), 'requester': event.get('requester')}​# Alert Overrides# Generated alerts will be Critical if it is in a high priority region, Info otherwisedef severity(event):if event['awsRegion'] in HIGH_PRIORITY_REGIONS:return 'Critical'else:return 'Low'​# Rules with this function defined will have generated descriptions, useful for providing more details to an Alertdef description(event):return 'Unauthenticated Access to S3 Bucket {} made by {}'.format(event.get('bucket'), event.get('requester'))​# Reference can be used to link to relevant external linksdef reference(event):return 'https://docs.runpanther.io/cloud-security/overview'​# Runbook can be used to inform how an analyst should respond to an Alertdef runbook(event):return 'Investigate the requester information as well as the S3 Bucket permissions.'​# Destinations is functionally a dynamic destination override, useful for controlling the reporting of generated alertsdef destinations(event):if event['awsRegion'] in HIGH_PRIORITY_REGIONS:return ['01234567-1edf-4edb-8f5b-0123456789a']# Suppress the alertelse:return []
Alert routing is based on the following order of precedence (from lowest precedence to highest):
Static Severity - Default alert routing based on the severity metadata field set for the detection.
Generated Severity - Destinations associated with returned
severityfunction defined in the Python body.Static Destinations - Destinations based on the Destination Override metadata field set for the detection.
Generated Destinations - Destinations returned by the
destinationsfunction defined in the Python body.
