Skip to main content
Panther Knowledge Base

Where in my Panther code repository can I store my YAML-only detections?

  1. Last updated
  2. Save as PDF

QUESTION

Where in my Panther code repository can I store my YAML-only detections? Are there any specific guidelines?

ANSWER

The documentation for setting up folders and files while using YAML-only detections with the CLI can be found here.

As described, if you group your rules into folders, each folder name must include the word "rules" so that they can be identified during upload (using either PAT or the bulk uploader in the Console). It is also recommended to group your rules into folders based on the log/resource type, such as "suricata_rules" or "aws_s3_policies".

The structure of the rules is similar to Python rules, but without the Python ".py" file.