This page details the steps to writing Panther rules with the built-in UI. For a background on how rules work, read the guide here.
Navigate to Log Analysis
> Rules
, and click Create New
in the top right corner.
You have the option of creating a single new rule, or bulk uploading a zip file containing rules created with the panther_analysis_tool:
Select Single
to create a new rule.
Set all the necessary rule attributes, such as the ID, Log Types, Deduplication Period, and Severity:
Then write your rule function with the rule()
, title()
, and dedup()
functions.
The detection can also be fine-tuned with dynamic alert fields.
Finally, configure test cases to ensure your rule works as expected:
And click Create
to save the rule.
Now, when any NGINX.Access
logs are sent to Panther, this rule will automatically analyze and alert upon admin panel activity.