Home
Pricing
Github
Slack Channel
Home
Quick Start
Development
Operations
User Guide
Destinations
Analysis
Tutorials
Help
Log Analysis
Overview
Setup
Rules
Writing Rules in Panther
Built-in Rule Runbooks
Supported Logs
Standard Fields
Cloud Security
Overview
Setup
Policies
Built-in Policy Runbooks
Automatic Remediation
Supported Resources
Enterprise
Overview
Data Analytics
SaaS Logs
Snowflake Integration
SAML/SSO Integration
Role-Based Access Control
Powered by GitBook

Writing Rules in Panther

This page details the steps to writing Panther rules with the built-in UI. For a background on how rules work, read the guide here.

Navigate to Log Analysis > Rules, and click Create New in the top right corner.

You have the option of creating a single new rule, or bulk uploading a zip file containing rules created with the panther_analysis_tool:

Select Single to create a new rule.

Set Attributes

Set all the necessary rule attributes, such as the ID, Log Types, Deduplication Period, and Severity:

Write Rule Function

Then write your rule function with the rule(), title(), and dedup() functions.

Configure Tests

Finally, configure test cases to ensure your rule works as expected:

And click Create to save the rule.

Now, when any NGINX.Access logs are sent to Panther, this rule will automatically analyze and alert upon admin panel activity.

Log Analysis - Previous
Rules
Next
Built-in Rule Runbooks
Last updated 2 months ago
Contents
Set Attributes
Write Rule Function
Configure Tests