Writing Rules in Panther

This page details the steps to writing Panther rules with the built-in UI. For a background on how rules work, read the guide here.

Navigate to Log Analysis > Rules, and click Create New in the top right corner.

You have the option of creating a single new rule, or bulk uploading a zip file containing rules created with the panther_analysis_tool:

Select Single to create a new rule.

Set Attributes

Set all the necessary rule attributes, such as the ID, Log Types, Deduplication Period, and Severity:

Write Rule Function

Then write your rule function with the rule(), title(), and dedup() functions.

The detection can also be fine-tuned with dynamic alert fields.

Configure Tests

Finally, configure test cases to ensure your rule works as expected:

And click Create to save the rule.

Now, when any NGINX.Access logs are sent to Panther, this rule will automatically analyze and alert upon admin panel activity.