This page details the steps to writing Panther rules with the built-in UI. For a background on how rules work, read the guide here.
Log Analysis >
Rules, and click
Create New in the top right corner.
You have the option of creating a single new rule, or bulk uploading a zip file containing rules created with the panther_analysis_tool:
Single to create a new rule.
Set all the necessary rule attributes, such as the ID, Log Types, Deduplication Period, and Severity:
Then write your rule function with the
The detection can also be fine-tuned with dynamic alert fields.
Finally, configure test cases to ensure your rule works as expected:
Create to save the rule.
Now, when any
NGINX.Access logs are sent to Panther, this rule will automatically analyze and alert upon admin panel activity.