# Table of Contents - [Cloud Security Scanning | Panther Docs](#cloud-security-scanning-panther-docs) - [Quick Start | Panther Docs](#quick-start-panther-docs) - [Data Sources & Transports | Panther Docs](#data-sources-transports-panther-docs) - [Terraform | Panther Docs](#terraform-panther-docs) - [Using panther-analysis | Panther Docs](#using-panther-analysis-panther-docs) - [MCP Server | Panther Docs](#mcp-server-panther-docs) - [Panther Developer Workflows Overview | Panther Docs](#panther-developer-workflows-overview-panther-docs) - [pantherlog Tool | Panther Docs](#pantherlog-tool-panther-docs) - [Field Discovery | Panther Docs](#field-discovery-panther-docs) - [Help | Panther Docs](#help-panther-docs) - [Ingestion Filters | Panther Docs](#ingestion-filters-panther-docs) - [Converting Sigma Rules | Panther Docs](#converting-sigma-rules-panther-docs) - [Using Panther-managed Detections | Panther Docs](#using-panther-managed-detections-panther-docs) - [Derived Detections | Panther Docs](#derived-detections-panther-docs) - [Standard Fields | Panther Docs](#standard-fields-panther-docs) - [Saved and Scheduled Searches | Panther Docs](#saved-and-scheduled-searches-panther-docs) - [CI/CD for Panther Content | Panther Docs](#ci-cd-for-panther-content-panther-docs) - [Panther Analysis Tool | Panther Docs](#panther-analysis-tool-panther-docs) - [Managing Panther Content via CircleCI | Panther Docs](#managing-panther-content-via-circleci-panther-docs) - [PantherFlow Expressions | Panther Docs](#pantherflow-expressions-panther-docs) - [Panther AI Workflow Examples | Panther Docs](#panther-ai-workflow-examples-panther-docs) - [G Suite SSO | Panther Docs](#g-suite-sso-panther-docs) - [Tor Exit Nodes | Panther Docs](#tor-exit-nodes-panther-docs) - [Data Models | Panther Docs](#data-models-panther-docs) - [Public Fork | Panther Docs](#public-fork-panther-docs) - [Snowflake Connected (Legacy) | Panther Docs](#snowflake-connected-legacy-panther-docs) - [Private Clone | Panther Docs](#private-clone-panther-docs) - [Roles | Panther Docs](#roles-panther-docs) - [PantherFlow Examples: Panther Audit Logs | Panther Docs](#pantherflow-examples-panther-audit-logs-panther-docs) - [Rules | Panther Docs](#rules-panther-docs) - [Users | Panther Docs](#users-panther-docs) - [Cloud Account Management | Panther Docs](#cloud-account-management-panther-docs) - [User & Role Management | Panther Docs](#user-role-management-panther-docs) - [Log Source Management | Panther Docs](#log-source-management-panther-docs) - [Metrics | Panther Docs](#metrics-panther-docs) - [Token Rotation | Panther Docs](#token-rotation-panther-docs) - [Scheduled Rules | Panther Docs](#scheduled-rules-panther-docs) - [Onboarding Guide | Panther Docs](#onboarding-guide-panther-docs) - [Email Protection | Cloudflare](#email-protection-cloudflare) - [Legal | Panther Docs](#legal-panther-docs) - [MISP Warning Lists | Panther Docs](#misp-warning-lists-panther-docs) - [Migrating to a CI/CD Workflow | Panther Docs](#migrating-to-a-ci-cd-workflow-panther-docs) --- # Cloud Security Scanning | Panther Docs [hashtag](https://docs.panther.com/cloud-scanning#overview) Overview ------------------------------------------------------------------------- Cloud Security Scanning in Panther works by capturing the configurations of your Amazon Web Services (AWS) resources and invoking associated [policies](https://docs.panther.com/detections/policies) you've defined to detect misconfigurations. Cloud Security Scanning is automatically enabled when you onboard a Cloud Account in your Panther instance. This feature can improve your cloud security posture and assist with compliance. Common security misconfigurations detectable by Panther include: * S3 Buckets without encryption * Security Groups allowing inbound SSH traffic from `0.0.0.0/0` * Access Keys being older than 90 days * IAM policies that are too permissive When adding a new AWS account, Panther runs a baseline scan and models all of the resources in your account. Account scans are then performed daily. This works by using an assumable IAM Role with ReadOnly permissions. [hashtag](https://docs.panther.com/cloud-scanning#how-to-use-cloud-security-scanning) How to use Cloud Security Scanning ----------------------------------------------------------------------------------------------------------------------------- Cloud Security Scanning is automatically enabled in Panther when a cloud account is onboarded. With Cloud Security Scanning, Panther captures the state of cloud resources and invokes any associated [policies](https://docs.panther.com/detections/policies) on a daily cadence to detect misconfigurations. You can onboard a cloud account [in the Panther Console](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-in-the-panther-console) , or [using the Panther API](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-using-the-panther-api) . Additionally, we recommend [onboarding your CloudTrail or CloudWatch logs as a log source integration](https://docs.panther.com/data-onboarding/supported-logs/aws) so you can configure detections and receive alerts for active incidents and breaches. circle-info Panther's Cloud Security Scanning performs scans daily. You can also enable [real-time monitoring](https://docs.panther.com/cloud-scanning#real-time-monitoring) of cloud infrastructure configurations. ### [hashtag](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-in-the-panther-console) Onboarding a cloud account in the Panther Console 1. Log in to your Panther Console. 2. In the left sidebar, click **Configure > Cloud Accounts** then click **Connect an account**. 3. Enter your account Name and AWS Account ID. * You may also expand the **Advanced Options** to indicate which AWS Regions, Resource Types, and Resources by Region you would like to exclude from cloud scanning. This can help prevent too many alerts from being generated by regions and resources known to be misconfigured. ![The image shows the Cloud Account configuration page in Panther. There are fields for Name and AWS Account ID. "Advanced Options" is expanded and includes dropdown menus for "Exclude AWS Regions," "Exclude Resource Types," and a field for "Exclude Resources by Regex."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-4ee427d73eea2a1889f80d316191bee1505fa2ba%252FScreen%2520Shot%25202022-08-02%2520at%25206.01.39%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=93bc1c0d&sv=2) 4. Click **Continue Setup**. ### [hashtag](https://docs.panther.com/cloud-scanning#set-up-an-iam-role) Set up an IAM role Panther needs an IAM role to have the ability to scan resources from your AWS account. You can choose from the following options to set this up: * [Using the AWS Console UI](https://docs.panther.com/cloud-scanning#creating-an-iam-role-using-the-aws-console-ui) : Launch a CloudFormation stack using the AWS console. * [CloudFormation or Terraform Template File](https://docs.panther.com/cloud-scanning#creating-an-iam-role-using-a-cloudformation-or-terraform-template-file) : Use Panther's provided CloudFormation template or Terraform template to create an IAM role by downloading the template and deploying on your own. * [I want to set up everything on my own](https://docs.panther.com/cloud-scanning#creating-an-iam-role-manually-or-with-other-automation) : Create the IAM role manually or with other automation. ![The Setup an IAM Role page displays options for Using the AWS Console UI, CloudFormation or Terraform template, or "I want to set up everything on my own."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-9c9463159e624b522598774d9468e5d8b32e26c1%252FScreen%2520Shot%25202022-08-02%2520at%25206.02.22%2520PM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5f93efe3&sv=2) #### [hashtag](https://docs.panther.com/cloud-scanning#creating-an-iam-role-using-the-aws-console-ui) Creating an IAM Role using the AWS Console UI 1. On the "Setup an IAM Role" page, click **Select** next to **Using the AWS Console UI**. 2. Click **Launch Console UI.** * You will be redirected to the AWS console in a new browser tab, with the template URL pre-filled. * Check the acknowledgements in the "Capabilities" box, and click **Create Stack.** 3. Navigate back to your Panther Console. 4. Click **Continue Setup** to complete the Cloud Account setup process. #### [hashtag](https://docs.panther.com/cloud-scanning#creating-an-iam-role-using-a-cloudformation-or-terraform-template-file) Creating an IAM Role using a CloudFormation or Terraform Template File 1. On the "Setup an IAM Role page", click **Select** next to **CloudFormation or Terraform Template File**. 2. Click the template option you want to use, which downloads the template to apply it through your own pipeline. * You can also find the Terraform template at [this GitHub linkarrow-up-right](https://github.com/panther-labs/panther-auxiliary/tree/9365346d8698e730bd623086e24ca6f2a34c4b5c/terraform/panther_cloudsec_iam) . 3. Upload the template file in AWS. 4. Once deployed, navigate back to the Panther Console, and click **Continue Setup.** ![The image shows the CloudFormation Template File option page in the Panther Console. On the screen there are links to download a CloudFormation or Terraform Template, then instructions to run commands in your CLI.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-5e8b0749de491e9c9aad8fffccad2a6619865480%252FScreen%2520Shot%25202022-08-02%2520at%25206.03.29%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=93e81a77&sv=2) #### [hashtag](https://docs.panther.com/cloud-scanning#creating-an-iam-role-manually-or-with-other-automation) Creating an IAM role manually or with other automation If you wish to create an IAM role via some other mechanism, ensure it has the naming standard and permissions documented in [Panther’s provided templatesarrow-up-right](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-cloudsec-iam.yml) . 1. On the "Set Up an IAM role" page, click the link that says **I want to set everything up on my own**. 2. Create the required IAM role. You may create the required IAM role manually or through your own automation. ### [hashtag](https://docs.panther.com/cloud-scanning#finish-the-cloud-account-setup-process) Finish the cloud account setup process The Setup Verification page verifies whether the IAM role has been successfully created. 1. Optionally, you can click **Setup CloudTrail** to enable Real Time Scanning. * If you have already configured a Log Source containing CloudTrail Logs or if you would like to configure this later, you may skip this step. 2. Click **Finish Setup**. ![The screen displays a message that says 'Everything looks good!" and "Your configured stack was deployed successfully and your source's setup is now complete!" There is also a message indicating that you can also set up a CloudTrail log source. At the bottom, there is a blue "Finish Setup" button.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-4705aa4667e761f5182de76e1a6cd97cb65413c9%252FScreen%2520Shot%25202022-08-02%2520at%25206.04.29%2520PM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=7748b51e&sv=2) ### [hashtag](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-using-the-panther-api) Onboarding a cloud account using the Panther API To onboard a cloud account with the Panther API, use the [`CreateCloudAccount` operation](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#creating-a-cloud-account) . Note that after using this operation, you will still need to set up an IAM role in your AWS account—follow the [Creating an IAM role manually or with other automation](https://docs.panther.com/cloud-scanning#creating-an-iam-role-manually-or-with-other-automation) instructions above. [hashtag](https://docs.panther.com/cloud-scanning#real-time-monitoring) Real-time monitoring ------------------------------------------------------------------------------------------------- You can optionally enable real-time monitoring of your cloud resources, in addition to the daily scan performed by the Cloud Security Scanning service. Real-time monitoring means that whenever a change is made to a cloud resource (including configuration modifications, creations, and deletions), Panther invokes any [policies](https://docs.panther.com/detections/policies) associated with that resource. This means that if the change causes the resource to fail a policy, you will be alerted in near-real-time, instead of at the time of the next daily scan. To set up real-time monitoring, either onboard AWS CloudTrail as a log source, or follow the CloudWatch events process below. ### [hashtag](https://docs.panther.com/cloud-scanning#cloudtrail-logs) CloudTrail logs To set up real-time monitoring via CloudTrail logs, follow the instructions to [onboard CloudTrail logs](https://docs.panther.com/data-onboarding/supported-logs/aws) . ### [hashtag](https://docs.panther.com/cloud-scanning#cloudwatch-events) CloudWatch events To leverage CloudWatch events for resource scanning and monitoring, you must configure a CloudFormation stack in AWS and then onboard your Cloud Account. #### [hashtag](https://docs.panther.com/cloud-scanning#configure-cloudformation-to-leverage-cloudwatch-events) Configure CloudFormation to leverage CloudWatch events Before getting started, review the `panther-cloudwatch-events.yml` CloudFormation template within [panther-auxiliaryarrow-up-right](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-cloudwatch-events.yml) . This YAML file contains the CloudFormation stack information necessary to configure Panther's real-time CloudWatch Event collection. It works by creating CloudWatch Event rules which feed to Panther's SQS Queue proxied by a local SNS topic in each region. Latency between an event occurring in AWS and the event being detected by CloudWatch Event rules is typically 1 minute or less. 1. [Downloadarrow-up-right](https://github.com/panther-labs/panther-auxiliary/blob/main/cloudformation/panther-cloudwatch-events.yml) the `panther-cloudwatch-events.yml` template from panther-auxiliary. 2. Launch your AWS console and navigate to the CloudFormation service. 3. Click **Create stack** and choose the option "With new resources." 4. In the **Template** section, choose the option _Upload a template file_. Select your `panther-cloudwatch-events.yml` file. 5. Click **Next**. 6. In the **Specify Details** section, fill in the necessary fields, including the following: * **Stack name**: `panther-real-time-events` * **QueueArn**: `arn:aws:sqs:::panther-aws-events-queue` 7. Click **Next**. 8. On the **Configure stack options** page, click **Next**. 9. On the **Review** page, make sure you have configured your settings correctly. Click **Next**. 10. After configuring the template, follow the [instructions to onboard your cloud account](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-in-the-panther-console) . [hashtag](https://docs.panther.com/cloud-scanning#cloud-resource-attributes) Cloud resource attributes ----------------------------------------------------------------------------------------------------------- To learn more about the attributes that can be referenced in Cloud Security policies, see [Cloud Resource Attributes](https://docs.panther.com/cloud-scanning/cloud-resource-attributes) . [hashtag](https://docs.panther.com/cloud-scanning#troubleshooting-cloud-security-scanning) Troubleshooting Cloud Security Scanning --------------------------------------------------------------------------------------------------------------------------------------- Visit the Panther Knowledge Base to [view articles about Cloud Security Scanning policiesarrow-up-right](https://help.panther.com/Detections/Policies) and [articles about Cloud Accountsarrow-up-right](https://help.panther.com/Data_Sources/Cloud_Accounts) that answer frequently asked questions and help you resolve common errors and issues. [PreviousFramework Mapping and MITRE ATT&CK® Matrixchevron-left](https://docs.panther.com/detections/report-mapping) [NextCloud Resource Attributeschevron-right](https://docs.panther.com/cloud-scanning/cloud-resource-attributes) Last updated 1 year ago Was this helpful? * [Overview](https://docs.panther.com/cloud-scanning#overview) * [How to use Cloud Security Scanning](https://docs.panther.com/cloud-scanning#how-to-use-cloud-security-scanning) * [Onboarding a cloud account in the Panther Console](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-in-the-panther-console) * [Set up an IAM role](https://docs.panther.com/cloud-scanning#set-up-an-iam-role) * [Finish the cloud account setup process](https://docs.panther.com/cloud-scanning#finish-the-cloud-account-setup-process) * [Onboarding a cloud account using the Panther API](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-using-the-panther-api) * [Real-time monitoring](https://docs.panther.com/cloud-scanning#real-time-monitoring) * [CloudTrail logs](https://docs.panther.com/cloud-scanning#cloudtrail-logs) * [CloudWatch events](https://docs.panther.com/cloud-scanning#cloudwatch-events) * [Cloud resource attributes](https://docs.panther.com/cloud-scanning#cloud-resource-attributes) * [Troubleshooting Cloud Security Scanning](https://docs.panther.com/cloud-scanning#troubleshooting-cloud-security-scanning) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Quick Start | Panther Docs Get started with Panther [by requesting a demo!arrow-up-right](https://panther.com/product/request-a-demo/) [hashtag](https://docs.panther.com/quick-start#overview) Overview ---------------------------------------------------------------------- Welcome to Panther! This guide will walk you through your initial login to the Panther Console, as well as how to invite additional users. Once you've completed these steps, head to the [Onboarding Guide](https://docs.panther.com/quick-start/onboarding-guide) for full onboarding instructions. ### [hashtag](https://docs.panther.com/quick-start#getting-started-with-key-panther-features) Getting started with key Panther features ### [hashtag](https://docs.panther.com/quick-start#using-panther) Using Panther You can manage your account and workflows in the Panther Console or using Panther Developer Workflows. #### [hashtag](https://docs.panther.com/quick-start#panther-console) Panther Console The Panther Console is Panther's web interface, where users can interact with their Panther instance. You can navigate the Panther Console via the left-hand navigation panel or press **⌘ (command) + K** at any time to search and jump straight to relevant documentation. For a preview of the Panther Console, check out the [Overview video](https://docs.panther.com/quick-start#overview-video) above. #### [hashtag](https://docs.panther.com/quick-start#panther-developer-workflows) Panther Developer Workflows Panther Developer Workflows are non-Console workflows you can use to interact with your Panther account, including [CI/CD](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci) , [API](https://docs.panther.com/panther-developer-workflows/api) , [Terraform](https://docs.panther.com/panther-developer-workflows/terraform) , [pantherlog](https://docs.panther.com/panther-developer-workflows/pantherlog) and the [Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#using-the-panther-analysis-tool) . ### [hashtag](https://docs.panther.com/quick-start#glossary) Glossary Panther's [Glossary](https://docs.panther.com/resources/help/glossary) introduces common cloud-native, security, and Panther-specific terminology. Refer to the Glossary for extra context and clarity on terms found throughout this documentation. [hashtag](https://docs.panther.com/quick-start#getting-started-in-panther) Getting started in Panther ---------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/quick-start#initial-panther-login) Initial Panther login After your Panther instance has been provisioned, you can access your Panther Console. Once your account has been provisioned, you will receive an invitation email from `[[email protected]](https://docs.panther.com/cdn-cgi/l/email-protection) ` with the subject line **Welcome to Panther!** that contains your temporary Panther Console login credentials. If you don't see this email, be sure to check your spam folder or [reach out to your Panther Support team](https://docs.panther.com/resources/help#contact-panther-support) . After you have logged in to the Console with these provided credentials, you will need to update your password and set up multi-factor authentication. Panther requires a strong password: * Password must contain at least 12 characters * Password must contain at least 1 uppercase character * Password must contain at least 1 lowercase character * Password must contain at least 1 symbol * Password must contain at least 1 number ![The Panther Console's login screen](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-ca0b1d99c526bd36e669aca37bcec65d9a4742c1%252Fimage.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=d0db5227&sv=2) ### [hashtag](https://docs.panther.com/quick-start#inviting-users) Inviting users After you have successfully logged in, you can invite more users to the platform by navigating to **Settings** > **Users**. ![The Settings gear icon is in the upper right corner. The dropdown menu is open and "Users" is highlighted.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-afb844a529a5cc95e2bd9047dc4d37f5e11b3457%252Fsettings-users.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=6ee77a35&sv=2) We strongly recommend having at least two users with [Admin role](https://docs.panther.com/system-configuration/rbac) set up. This will help your organization regain access to the Panther Console if needed. You can also [set up a Single Sign-On (SSO) provider](https://docs.panther.com/system-configuration/saml) , and optionally [enforce its use](https://docs.panther.com/system-configuration/saml#how-to-enforce-sso) . It is also recommended to routinely audit the users who have access to your Panther Console. [hashtag](https://docs.panther.com/quick-start#next-step-start-using-panther) Next step: Start using Panther ----------------------------------------------------------------------------------------------------------------- Once you've logged in to the Panther Console, it's time to onboard data sources, set up detections, and configure alert destinations. Learn how to complete these tasks in the [Onboarding Guide](https://docs.panther.com/quick-start/onboarding-guide) . [PreviousOverviewchevron-left](https://docs.panther.com/) [NextOnboarding Guidechevron-right](https://docs.panther.com/quick-start/onboarding-guide) Last updated 1 year ago Was this helpful? * [Overview](https://docs.panther.com/quick-start#overview) * [Getting started with key Panther features](https://docs.panther.com/quick-start#getting-started-with-key-panther-features) * [Using Panther](https://docs.panther.com/quick-start#using-panther) * [Glossary](https://docs.panther.com/quick-start#glossary) * [Getting started in Panther](https://docs.panther.com/quick-start#getting-started-in-panther) * [Initial Panther login](https://docs.panther.com/quick-start#initial-panther-login) * [Inviting users](https://docs.panther.com/quick-start#inviting-users) * [Next step: Start using Panther](https://docs.panther.com/quick-start#next-step-start-using-panther) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Data Sources & Transports | Panther Docs [hashtag](https://docs.panther.com/data-onboarding#overview) Overview -------------------------------------------------------------------------- Panther offers built-in integrations for common data sources and data mapping for custom log sources. This page describes available [data source options](https://docs.panther.com/data-onboarding#data-sources-and-transports) , how to [monitor log source ingestion and health](https://docs.panther.com/data-onboarding#monitoring-log-sources) , how to [request support for a new log source](https://docs.panther.com/data-onboarding#request-support-for-a-log-source) , and how to [configure an Event Threshold alarm](https://docs.panther.com/data-onboarding#configuring-event-threshold-alarms) . For information on ingesting Panther Console audit logs, see the [Panther Audit Logs](https://docs.panther.com/data-onboarding/supported-logs/panther-audit-logs) page. #### [hashtag](https://docs.panther.com/data-onboarding#video-overview) Video overview [hashtag](https://docs.panther.com/data-onboarding#data-sources-and-transports) Data Sources & Transports -------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/data-onboarding#data-transports) Data Transports You can create an HTTP (webhook) source, or leverage cloud services like S3 buckets, CloudWatch, SQS, SNS, Azure Blob Storage, or Google Cloud Storage (GCS) to push data to Panther. For more information, see [Data Transportsarrow-up-right](https://docs.panther.com/data-onboarding/data-transports) . ### [hashtag](https://docs.panther.com/data-onboarding#supported-logs) Supported logs Panther supports pulling logs from vendors via direct integrations that query the API and via AWS EventBridge. In addition, Panther supports pushing logs to common Data Transport sources to ingest logs that have supported schemas but not a direct API integration. For a full list of supported vendors, see the [Supported Logsarrow-up-right](https://docs.panther.com/data-onboarding/supported-logs) page. #### [hashtag](https://docs.panther.com/data-onboarding#cloud-accounts) Cloud accounts In addition to onboarding AWS as a log source to configure Detections and receive alerts, we recommend configuring Cloud Security Scanning for your AWS account. Cloud Security Scanning works by scanning AWS accounts, modeling the Resources within them, and using Policies to detect misconfigurations. For more information, see [Cloud Security Scanningarrow-up-right](https://docs.panther.com/cloud-scanning) . ### [hashtag](https://docs.panther.com/data-onboarding#custom-logs) Custom logs Panther allows you to generate a custom schema if you have a log type that is not yet supported. Panther gives you the ability to build custom schemas, which inform Panther how to parse events correctly. For more information, see [Custom Logs.arrow-up-right](https://docs.panther.com/data-onboarding/custom-log-types) ### [hashtag](https://docs.panther.com/data-onboarding#monitoring-log-sources) Monitoring log sources When your log source is onboarded in Panther, you can monitor its individual data processing metrics and health within the log source's operations page, attach new schemas, and view raw data associated with the log source. You can also monitor overall log source ingestion metrics on the Log Source Overview page. For more information, see [Monitoring Log Sourcesarrow-up-right](https://docs.panther.com/data-onboarding/monitoring-log-sources) . ### [hashtag](https://docs.panther.com/data-onboarding#ingestion-filtering) Ingestion filtering Ingestion filters let you define conditions under which incoming data should be dropped—i.e., not ingested into Panther. This dropped data will not contribute to your ingestion quota. These filters can be useful, then, to partially ingest high-volume logs that may have previously been cost-prohibitive when connected with Panther. For more information, see [Ingestion Filters](https://docs.panther.com/data-onboarding/ingestion-filters) . [hashtag](https://docs.panther.com/data-onboarding#configuring-event-threshold-alarms) Configuring event threshold alarms ------------------------------------------------------------------------------------------------------------------------------ On the final step of configuring your log source with Panther, you have the option to create an alarm in case the source does not process any events within a configurable period of time. For example, if you configure the threshold to 15 minutes, then you will receive an alert if no events are processed in 15 minutes. For instructions, see [Configuring log drop-off alarms for log sources](https://docs.panther.com/system-configuration/notifications/system-errors#configuring-log-drop-offs-alarms-for-log-sources) . [hashtag](https://docs.panther.com/data-onboarding#request-support-for-a-log-source) Request support for a log source -------------------------------------------------------------------------------------------------------------------------- If you do not see the log source you want within the list at **Integrations > Log Sources**, you can request support of a new log source: 1. Log in to your Panther Console. 2. Navigate to **Configure > Log Sources**. 3. Click **Create New.** 4. Scroll to the bottom of the page and click the **Request it here** hyperlink. ![](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-abb3b93eeff3dc24a4880b3c45b5cc3641f10800%252FScreenshot%25202023-02-27%2520at%25208.49.25%2520AM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=f03ebf33&sv=2) 5. Enter the Log Source name you want to request and the use case it will address. 6. Click **Create Request**. [hashtag](https://docs.panther.com/data-onboarding#deleting-a-log-source) Deleting a log source ---------------------------------------------------------------------------------------------------- If you no longer want to collect logs from a particular log source, you can delete it in the Panther Console or using the Panther API. After you delete a log source, all events that have already been collected by that source will remain accessible in your Data Lake (meaning they can be queried with [Data Explorer](https://docs.panther.com/search/data-explorer) and [Search](https://docs.panther.com/search/search-tool) ). To delete a log source: Panther Console Panther API 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. In the table of log sources, locate the one you would like to delete. On the right side of its row, click the three dots icon. 3. Click **Delete**. ![An arrow is drawn from a three dots icon to a "Delete" value in a pop-up menu.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-5eda1a07b163809d46902f0d529bdd95fec3fdee%252FScreenshot%25202024-08-12%2520at%25204.26.02%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=67d00844&sv=2) 4. In the pop-up confirmation modal, click **Yes, Delete**. * Use the `DeleteSource` mutation in the [Panther GraphQL API](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#deleting-a-log-source) . [hashtag](https://docs.panther.com/data-onboarding#data-ingestion-size-limit) Data ingestion size limit ------------------------------------------------------------------------------------------------------------ Panther can ingest events up to 15 MB. If a log event larger than 15 MB is sent to Panther, it will be skipped and not ingested. If it is being ingested from S3, CloudWatch, GCS, or Azure Blob Storage, the entire file will be dropped and a [System Error will be generated](https://docs.panther.com/system-configuration/notifications/system-errors#s3-getobject-error-notifications) . [hashtag](https://docs.panther.com/data-onboarding#ip-addresses-panther-uses-to-pull-data) IP addresses Panther uses to pull data -------------------------------------------------------------------------------------------------------------------------------------- The IP address Panther uses to fetch your data depends on the nature of the log source: Type of log source IP address Panther uses to pull data [Supported Logs](https://docs.panther.com/data-onboarding/supported-logs) source that is an "API puller"—i.e., whose API Panther polls Your Panther Console [gateway public IParrow-up-right](https://docs.panther.com/system-configuration#general-settings) . * [Supported Logsarrow-up-right](https://app.gitbook.com/o/-LgddDaIOc7MA4mxoaPa/s/-LgdiSWdyJcXPahGi9Rs-2910905616/~/changes/3418/data-onboarding/supported-logs) source that either: * Is an [AWS Log Sourcearrow-up-right](https://docs.panther.com/data-onboarding/supported-logs/aws) ​ * Uses an AWS storage location (e.g., S3 or SQS) * ​[Custom Logsarrow-up-right](https://app.gitbook.com/o/-LgddDaIOc7MA4mxoaPa/s/-LgdiSWdyJcXPahGi9Rs-2910905616/~/changes/3418/data-onboarding/custom-log-types) source that uses an [AWS Data Transportarrow-up-right](https://app.gitbook.com/o/-LgddDaIOc7MA4mxoaPa/s/-LgdiSWdyJcXPahGi9Rs-2910905616/~/changes/3418/data-onboarding/data-transports/aws) An IP address within the [AWS IP address spacearrow-up-right](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) . [Supported Logs](https://docs.panther.com/data-onboarding/supported-logs) source that uses a GCS storage location OR a [Custom Logs](https://docs.panther.com/data-onboarding/custom-log-types) source that uses a [GCS Data Transport](https://docs.panther.com/data-onboarding/data-transports/google) An IP address within the [AWS IP address spacearrow-up-right](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) . (To request that Panther limit the IP to your Panther Console [gateway public IParrow-up-right](https://docs.panther.com/system-configuration#general-settings) , contact Support.) [Supported Logs](https://docs.panther.com/data-onboarding/supported-logs) source that uses an Azure storage location OR a [Custom Logs](https://docs.panther.com/data-onboarding/custom-log-types) source that uses an [Azure Data Transport](https://docs.panther.com/data-onboarding/data-transports/azure) An IP address within the [AWS IP address spacearrow-up-right](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) . (To request that Panther limit the IP to your Panther Console [gateway public IParrow-up-right](https://docs.panther.com/system-configuration#general-settings) , contact Support.) [hashtag](https://docs.panther.com/data-onboarding#troubleshooting-data-sources-and-transports) Troubleshooting Data Sources and Transports ------------------------------------------------------------------------------------------------------------------------------------------------ Visit the Panther Knowledge Base to [view articles about data sources and transportsarrow-up-right](https://help.panther.com/Data_Sources) that answer frequently asked questions and help you resolve common errors and issues. [PreviousOnboarding Guidechevron-left](https://docs.panther.com/quick-start/onboarding-guide) [NextSupported Logschevron-right](https://docs.panther.com/data-onboarding/supported-logs) Last updated 2 months ago Was this helpful? * [Overview](https://docs.panther.com/data-onboarding#overview) * [Data Sources & Transports](https://docs.panther.com/data-onboarding#data-sources-and-transports) * [Data Transports](https://docs.panther.com/data-onboarding#data-transports) * [Supported logs](https://docs.panther.com/data-onboarding#supported-logs) * [Custom logs](https://docs.panther.com/data-onboarding#custom-logs) * [Monitoring log sources](https://docs.panther.com/data-onboarding#monitoring-log-sources) * [Ingestion filtering](https://docs.panther.com/data-onboarding#ingestion-filtering) * [Configuring event threshold alarms](https://docs.panther.com/data-onboarding#configuring-event-threshold-alarms) * [Request support for a log source](https://docs.panther.com/data-onboarding#request-support-for-a-log-source) * [Deleting a log source](https://docs.panther.com/data-onboarding#deleting-a-log-source) * [Data ingestion size limit](https://docs.panther.com/data-onboarding#data-ingestion-size-limit) * [IP addresses Panther uses to pull data](https://docs.panther.com/data-onboarding#ip-addresses-panther-uses-to-pull-data) * [Troubleshooting Data Sources and Transports](https://docs.panther.com/data-onboarding#troubleshooting-data-sources-and-transports) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Terraform | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/terraform#overview) Overview ------------------------------------------------------------------------------------------------ You can manage parts of your Panther log source infrastructure using [Terraformarrow-up-right](https://www.terraform.io/) . Terraform allows you to define and provision your infrastructure through code, making it easy to manage and track changes across your project's lifecycle. [Panther is a providerarrow-up-right](https://registry.terraform.io/providers/panther-labs/panther/latest) in the Terraform registry. Learn how to use Terraform to provision Panther resources on the following pages: * [Managing AWS S3 Log Sources with Terraform](https://docs.panther.com/panther-developer-workflows/terraform/s3) * [Managing HTTP Log Sources with Terraform](https://docs.panther.com/panther-developer-workflows/terraform/http) [hashtag](https://docs.panther.com/panther-developer-workflows/terraform#resources) Resources -------------------------------------------------------------------------------------------------- * Learn more about Terraform [on their websitearrow-up-right](https://www.terraform.io/) . * See [Panther's page in the Terraform provider registryarrow-up-right](https://registry.terraform.io/providers/panther-labs/panther/latest) . [PreviousAPI Playgroundchevron-left](https://docs.panther.com/panther-developer-workflows/api/api-playground) [NextManaging AWS S3 Log Sources with Terraformchevron-right](https://docs.panther.com/panther-developer-workflows/terraform/s3) Last updated 1 year ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/terraform#overview) * [Resources](https://docs.panther.com/panther-developer-workflows/terraform#resources) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Using panther-analysis | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo#overview) Overview ------------------------------------------------------------------------------------------------------ [panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) is a public, open-source repository of Panther-managed security content, including detections, Saved Searches, global helpers, Lookup Tables, and more. To interact with your Panther detections repository on the command line, use the [Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) . Add your own custom detection content, and receive updates as Panther's Threat Intelligence team releases new versions. For general information and best practices for Panther detections, and for information on managing your detections in the Panther Console, see the [Detections documentation](https://docs.panther.com/detections) . After you have your own copy of panther-analysis, you can configure [CI/CD workflows](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) and [set up GitHub sync](https://docs.panther.com/system-configuration#github-sync) . [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo#recommended-workflow) Recommended Workflow ------------------------------------------------------------------------------------------------------------------------------ Starting in Panther Analysis Tool (PAT) v1.4.0 Panther content can be used to intelligently track versions, provide automated merging, and keep your content up to date. * Tracks which version of a Panther detection your customizations are based on (`BaseVersion` field) * Automatically pulls the latest Panther content * Intelligently merges updates and allows handling of conflicts when you're ready * Provides an interactive merge process for conflicts * Requires only the content you are interested in [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo#virtual-environment-and-package-manager) Virtual environment and package manager -------------------------------------------------------------------------------------------------------------------------------------------------------------------- It's recommended to use a virtual environment and package manager when interacting with panther-analysis or using PAT, as managing Python dependencies can get messy. [uvarrow-up-right](https://docs.astral.sh/uv/) is recommended for its speed and reliability, but [poetryarrow-up-right](https://python-poetry.org/) , [pipenvarrow-up-right](https://pipenv.pypa.io/en/latest/) , and [venvarrow-up-right](https://docs.python.org/3/library/venv.html) work too. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo#staying-up-to-date-with-panther-analysis-releases) Staying up to date with panther-analysis releases ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When new content is released, running `pat explore` or `pat clone` will allow you to use brand new content. `pat pull` will allow you to update your content. You can also choose to run `pat clone --filter LogTypes=Okta.SystemLog --filter Severity=High` within a GitHub Action or other scheduler to continually pull in new content matching the criteria supplied. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo#experimental-detections) Experimental detections ------------------------------------------------------------------------------------------------------------------------------------ Panther typically releases new detections in an "experimental" stage, which means they are still undergoing refinement and may not be suitable for production environments. Detections in the experimental phase: * Will have `Status: Experimental` * Will not generate alerts * Are not visible in the Panther Console (but can be viewed in the [`panther-analysis`arrow-up-right](https://github.com/panther-labs/panther-analysis) repository) * Collect aggregate performance metrics (not your log data) to validate expected alert volume You can choose to use experimental detections, however they may result in higher-than-average alert volume because they are still being tuned. To use an experimental detection before it is officially released, remove the `Status` field's `Experimental` value and upload the rule. The duration of the experimental stage varies by detection, but typically lasts several weeks. When a detection exits the experimental phase, its `Status` value is changed from `Experimental` to `Stable`. After being promoted to stable, detections may still be updated, though with reduced frequency. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo#removing-deprecated-panther-managed-detections) Removing deprecated Panther-managed detections ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Panther occasionally deprecates and deletes [Panther-managed](https://docs.panther.com/detections/panther-managed) detection content that has become obsolete. This means a new version of panther-analysis no longer contains the detections (or Saved/Scheduled Searches). When this happens, if you'd like to stop using the removed content, you must manually delete it from your Panther instance—simply removing the content from your repository is not enough, since the [Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) does not delete content during upload to Panther. To help you identify and remove deprecated content, Panther provides a [Makefile commandarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/main/Makefile) , `make remove-deprecated`, which removes deprecated detection content from your Panther instance. This command works by comparing the content of your repository with [`deprecated.txt`arrow-up-right](https://github.com/panther-labs/panther-analysis/blob/main/deprecated.txt) , a file in panther-analysis containing the IDs of all removed items. It's recommended to run `make remove-deprecated` at least once per month to clear out any deprecated detections from your instance. Note that `make remove-deprecated` requires your API host and token be set as environment variables. See the instructions on [configuring PAT with environment variables](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/install-configure-and-authenticate-with-pat#environment-variables) for more details. [PreviousPanther Developer Workflows Overviewchevron-left](https://docs.panther.com/panther-developer-workflows/overview) [NextPanther Analysis Toolchevron-right](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) Last updated 7 days ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/detections-repo#overview) * [Recommended Workflow](https://docs.panther.com/panther-developer-workflows/detections-repo#recommended-workflow) * [Virtual environment and package manager](https://docs.panther.com/panther-developer-workflows/detections-repo#virtual-environment-and-package-manager) * [Staying up to date with panther-analysis releases](https://docs.panther.com/panther-developer-workflows/detections-repo#staying-up-to-date-with-panther-analysis-releases) * [Experimental detections](https://docs.panther.com/panther-developer-workflows/detections-repo#experimental-detections) * [Removing deprecated Panther-managed detections](https://docs.panther.com/panther-developer-workflows/detections-repo#removing-deprecated-panther-managed-detections) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # MCP Server | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/mcp-server#overview) Overview ------------------------------------------------------------------------------------------------- The Panther [Model Context Protocol (MCP)arrow-up-right](https://modelcontextprotocol.io/introduction) server enables natural language interactions with Panther in your MCP [clientarrow-up-right](https://modelcontextprotocol.io/clients) of choice. Whether you're an analyst investigating alerts, a detection engineer writing rules in [Cursorarrow-up-right](https://www.cursor.com/en) , or a CISO seeking metrics and quick insights, the MCP server lets you work with the [Panther API](https://docs.panther.com/panther-developer-workflows/api) using conversational AI. The Panther MCP server democratizes Panther access to users across your organization—imagine not having to know how to program in Python to write a rule, or not needing a query language like SQL or PantherFlow to search data. For example, you can use the Panther MCP server for: * **Detection engineering**: Generate rules based on real logs in your data lake, using clients like Cursor. * In Cursor, "Create a rule to monitor when AWS admins are created in account 333333444444" * **Alert triage**: Review and correlate many alerts generated within a given time period. * In Claude for Desktop, "Show me all medium+ alerts from the last 24 hours grouped by IP" * **Threat investigation**: Query your security logs and investigate anomalies. * In Claude for Desktop, "Query AWS CloudTrail logs for failed login attempts in the last day." * **Panther operations**: Expedite the resolution of operational issues end-to-end, such as [rule errors](https://docs.panther.com/detections/rules#rule-errors-and-scheduled-rule-errors) or [system errors](https://docs.panther.com/system-configuration/notifications/system-errors) . * In Claude for Desktop, "Generate a report of our top 10 rules by alert volume this month" The Panther MCP server includes tools for working with a number of entities, like alerts, data, rules, data models, schemas, metrics, and Panther users. Learn more about these tools in the [Available Tools section in the `mcp-panther` repository's READMEarrow-up-right](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#available-tools) . The Panther MCP server is open-source—see the [contribution guidelines herearrow-up-right](https://github.com/panther-labs/mcp-panther/blob/main/CONTRIBUTING.md) . If you find a bug in the MCP server or need extra support while using it, please [create an issue in the repositoryarrow-up-right](https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/creating-an-issue) . circle-info Use of Panther MCP features is subject to the [AI disclaimer found on the Legal page](https://docs.panther.com/resources/help/legal#ai-disclaimer) . [hashtag](https://docs.panther.com/panther-developer-workflows/mcp-server#using-the-mcp-workflow) Using the MCP workflow ----------------------------------------------------------------------------------------------------------------------------- 1. Install the MCP server in your client of choice (e.g., Claude for Desktop). * You can install the Panther MCP server locally using `docker` or `uvx`. For full instructions, see the [MCP Server Installation section of the READMEarrow-up-right](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#mcp-server-installation) . 2. Ask a Panther-relevant question or provide a prompt (e.g., "Write a detection for suspicious S3 bucket access"). 3. Your client uses `mcp-panther`'s [toolsarrow-up-right](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#available-tools) to interact with [Panther's APIs](https://docs.panther.com/panther-developer-workflows/api) and gather necessary data. 4. Your client uses the response from `mcp-panther` to answer your question or execute the action you requested. [hashtag](https://docs.panther.com/panther-developer-workflows/mcp-server#securing-your-mcp-server) Securing your MCP server --------------------------------------------------------------------------------------------------------------------------------- To safely use the Panther MCP server, it's strongly recommended to follow the guidelines in the [Security Best Practices section in the mcp-panther repository's READMEarrow-up-right](https://github.com/panther-labs/mcp-panther?tab=readme-ov-file#security-best-practices) . [hashtag](https://docs.panther.com/panther-developer-workflows/mcp-server#the-panther-mcp-server-vs.-panther-ai) The Panther MCP server vs. Panther AI ----------------------------------------------------------------------------------------------------------------------------------------------------------- The Panther MCP server and [Panther AI](https://docs.panther.com/ai) both allow you to interact with your Panther instance with AI using free-form prompts, but there are a few key differences: Panther MCP server Panther AI **Primary use case** Detection engineering, cross-tool workflows, ad-hoc investigations, custom internal agent creation Guided alert triage and incident response **Access method** [MCP clientsarrow-up-right](https://modelcontextprotocol.io/clients) like Cursor, Claude for Desktop, and Goose Panther Console (and API, for [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) customers) **Integration capability** Works alongside other [MCP serversarrow-up-right](https://github.com/modelcontextprotocol/servers) (e.g., GitHub, Slack, Notion, etc.) Panther-specific workflows only **Best for** Complex, exploratory tasks requiring flexibility across Panther Repeatable, consistent security operations workflows **AI model** Uses your MCP client's chosen model (e.g., GPT-4, Claude, LLama4, etc.) Powered by [Claude AI models by Anthropicarrow-up-right](https://www.anthropic.com/claude) through [Amazon Bedrockarrow-up-right](https://aws.amazon.com/bedrock/) [PreviousConverting Sigma Ruleschevron-left](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules) [NextHelpchevron-right](https://docs.panther.com/resources/help) Last updated 6 months ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/mcp-server#overview) * [Using the MCP workflow](https://docs.panther.com/panther-developer-workflows/mcp-server#using-the-mcp-workflow) * [Securing your MCP server](https://docs.panther.com/panther-developer-workflows/mcp-server#securing-your-mcp-server) * [The Panther MCP server vs. Panther AI](https://docs.panther.com/panther-developer-workflows/mcp-server#the-panther-mcp-server-vs.-panther-ai) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Panther Developer Workflows Overview | Panther Docs Panther Developer Workflows are non-Panther Console workflows you can use to interact with your Panther account, including [continuous integration and continuous deployment (CI/CD)](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) , [API](https://docs.panther.com/panther-developer-workflows/api) , the [Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) , the [pantherlog tool](https://docs.panther.com/panther-developer-workflows/pantherlog) , and other operational tools. This page describes the developer workflows and tools you can use with Panther. Panther Developer Workflows are intended for a technical audience who feels comfortable using non-Console workflows. circle-info Looking for information on using web application-based workflows? * To learn more about getting started in the Panther Console, check out the [Quick Start Guide](https://docs.panther.com/quick-start) . * For information on managing detections in the Panther Console, see the [Detections documentation](https://docs.panther.com/detections) . [hashtag](https://docs.panther.com/panther-developer-workflows/overview#using-panther-managed-detections) Using Panther-managed detections ----------------------------------------------------------------------------------------------------------------------------------------------- CI/CD users can make use of Panther-managed detections written in Python in the [panther-analysis repository in GitHubarrow-up-right](https://github.com/panther-labs/panther-analysis) . This can be done by maintaining a public fork of the repo or maintaining a cloned private repository. The detections in panther-analysis are broadly applicable, but can be customized to ensure that you are receiving only the alerts that are most important to your organization. You will need to pull updates from panther-analysis to take advantage of new detections. For instructions, see [Using panther-analysis](https://docs.panther.com/panther-developer-workflows/detections-repo) . [hashtag](https://docs.panther.com/panther-developer-workflows/overview#ci-cd-workflows) CI/CD workflows ------------------------------------------------------------------------------------------------------------- Automate your detection pipeline and improve security with a CI/CD workflow: Leverage the Panther-managed Python detections from the panther-analysis repository in GitHub, adapt the detections to fit into your CI/CD pipeline, and upload the detections to your Panther Console. Panther offers CI/CD documentation specific to using the following platforms: * [CircleCI](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci) * [GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) Note that you can adapt these instructions to fit other workflows. ### [hashtag](https://docs.panther.com/panther-developer-workflows/overview#using-the-panther-analysis-tool) Using the Panther Analysis Tool [PATarrow-up-right](https://github.com/panther-labs/panther_analysis_tool) is an open-source utility for testing, packaging, and deploying Panther detections from source code. It's designed for developer-centric workflows such as managing your Panther detections programmatically or within CI/CD pipelines. Learn more on [Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/overview#how-your-cli-workflows-interact-with-the-panther-console) How your CLI workflows interact with the Panther Console Your uploaded detections will appear alongside detections that were created manually in the Panther Console. [hashtag](https://docs.panther.com/panther-developer-workflows/overview#panther-api) Panther API ----------------------------------------------------------------------------------------------------- Panther offers a public GraphQL-over-HTTP API, meaning you can write GraphQL queries and invoke the API using a typical HTTP request. For more information on GraphQL, please see [GraphQL's documentationarrow-up-right](https://graphql.org/learn/) . The Panther API can integrate with any existing tools that you have. Whether via scripts or CI/CD workflows, the API gives you the ability to automate workflows and complete tasks quickly by codifying processes that would normally require a manual login to the Panther Console. The Panther API supports operations for token rotation, alerting, cloud account management, log source management, user and role management, data lake queries, and user metrics. ### [hashtag](https://docs.panther.com/panther-developer-workflows/overview#how-your-api-workflows-interact-with-the-panther-console) How your API workflows interact with the Panther Console Panther itself uses an extended version of the API internally, so any changes you make using the Panther API will be immediately reflected in the Panther Console. ### [hashtag](https://docs.panther.com/panther-developer-workflows/overview#common-api-use-cases) Common API use cases Common use cases include: * Managing your users through IaaC and automating Role creation * Getting the latest Panther metrics to use in your own dashboards * Resolving an alert in Panther as part of an external workflow * Running a custom Data Explorer query whenever a certain event occurs For full documentation, as well as end-to-end examples in Python and NodeJS, please see [Panther API](https://docs.panther.com/panther-developer-workflows/api) . [hashtag](https://docs.panther.com/panther-developer-workflows/overview#terraform) Terraform ------------------------------------------------------------------------------------------------- You can manage parts of your Panther log source infrastructure using [Terraformarrow-up-right](https://www.terraform.io/) . Terraform allows you to define and provision your infrastructure through code, making it easy to manage and track changes across your project's lifecycle. [Panther is a providerarrow-up-right](https://registry.terraform.io/providers/panther-labs/panther/latest) in the Terraform registry. See a full example of using Terraform to manage an S3 log source on [Managing AWS S3 Log Sources with Terraform](https://docs.panther.com/panther-developer-workflows/terraform/s3) . [hashtag](https://docs.panther.com/panther-developer-workflows/overview#panther-tools) Panther tools --------------------------------------------------------------------------------------------------------- Panther provides two developer tools that you can use within your workflows: * **Panther Analysis Tool (PAT)**: An open-source utility for testing, packaging, and deploying Panther detections from source code. * For instructions on using PAT, see the [Panther Analysis Tool documentation](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) . * **Pantherlog**: A CLI tool that you can use to infer and parse logs, validate schema files, and run unit tests. * For instructions on using pantherlog, see the [pantherlog Tool documentation](https://docs.panther.com/panther-developer-workflows/pantherlog) . [hashtag](https://docs.panther.com/panther-developer-workflows/overview#panther-mcp-server) Panther MCP server ------------------------------------------------------------------------------------------------------------------- The Panther [Model Context Protocol (MCP)arrow-up-right](https://modelcontextprotocol.io/introduction) server enables natural language interactions with Panther in your MCP [clientarrow-up-right](https://modelcontextprotocol.io/clients) of choice. Learn more on [MCP Server](https://docs.panther.com/panther-developer-workflows/mcp-server) . [PreviousRuntime Environmentchevron-left](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/self-hosted-deployments/run-time) [NextUsing panther-analysischevron-right](https://docs.panther.com/panther-developer-workflows/detections-repo) Last updated 1 month ago Was this helpful? * [Using Panther-managed detections](https://docs.panther.com/panther-developer-workflows/overview#using-panther-managed-detections) * [CI/CD workflows](https://docs.panther.com/panther-developer-workflows/overview#ci-cd-workflows) * [Using the Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/overview#using-the-panther-analysis-tool) * [How your CLI workflows interact with the Panther Console](https://docs.panther.com/panther-developer-workflows/overview#how-your-cli-workflows-interact-with-the-panther-console) * [Panther API](https://docs.panther.com/panther-developer-workflows/overview#panther-api) * [How your API workflows interact with the Panther Console](https://docs.panther.com/panther-developer-workflows/overview#how-your-api-workflows-interact-with-the-panther-console) * [Common API use cases](https://docs.panther.com/panther-developer-workflows/overview#common-api-use-cases) * [Terraform](https://docs.panther.com/panther-developer-workflows/overview#terraform) * [Panther tools](https://docs.panther.com/panther-developer-workflows/overview#panther-tools) * [Panther MCP server](https://docs.panther.com/panther-developer-workflows/overview#panther-mcp-server) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # pantherlog Tool | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#overview) Overview ------------------------------------------------------------------------------------------------- You can use `pantherlog`, a CLI tool, to work with Custom Logs. It parses logs using Panther-managed or [custom schemas](https://docs.panther.com/data-onboarding/custom-log-types) , and uses sample logs to infer custom schemas. For information on working with custom logs in the Panther Console instead, see the [Custom Logs](https://docs.panther.com/data-onboarding/custom-log-types) documentation. ### [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#pantherlog-limitations) pantherlog limitations * See the [infer limitations](https://docs.panther.com/panther-developer-workflows/pantherlog#infer-limitations) and [test limitations](https://docs.panther.com/panther-developer-workflows/pantherlog#test-limitations) sections, below. [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#download) Download ------------------------------------------------------------------------------------------------- Download the latest version at the following links: **Windows** [amd64arrow-up-right](https://panther-community-us-east-1.s3.amazonaws.com/latest/tools/windows-amd64-pantherlog.exe.zip) [arm64arrow-up-right](https://panther-community-us-east-1.s3.amazonaws.com/latest/tools/windows-arm64-pantherlog.exe.zip) **Darwin/MacOS** [amd64arrow-up-right](https://panther-community-us-east-1.s3.amazonaws.com/latest/tools/darwin-amd64-pantherlog.zip) (Intel) [arm64arrow-up-right](https://panther-community-us-east-1.s3.amazonaws.com/latest/tools/darwin-arm64-pantherlog.zip) (Apple Silicon) **Linux** [amd64arrow-up-right](https://panther-community-us-east-1.s3.amazonaws.com/latest/tools/linux-amd64-pantherlog.zip) [arm64arrow-up-right](https://panther-community-us-east-1.s3.amazonaws.com/latest/tools/linux-arm64-pantherlog.zip) [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#list-schemas-list-panther-managed-schemas) `list-schemas`: List Panther-managed schemas ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- You can use pantherlog's `list-schemas` command to list Panther's managed schemas. Copy ./pantherlog list-schemas [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#export-schemas-export-panther-managed-schemas) `export-schemas`: Export Panther-managed schemas ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ You can use pantherlog's `export-schemas` command to export Panther-managed schemas into a local directory, or print them in the terminal. ### [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#export-schemas-to-local-directory) Export schemas to local directory * If `directory-name` does not exist, it will be created. * Note that `-p` may be used in place of `--path`. ### [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#print-schemas) Print schemas To print schemas to `stdout` instead of exporting to a local directory, use a dash. ### [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#export-select-schemas) Export select schemas You can filter the schemas to be exported by using the `-s` option with the names of the schemas you'd like to export, separated by commas. [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#infer-generate-a-schema-from-json-log-samples) `infer`: Generate a schema from JSON log samples ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ You can use pantherlog to generate a schema file out of sample files in [new-line delimited JSONarrow-up-right](https://jsonlines.org/) format. The tool will scan the provided logs and print the inferred schema to `stdout`. For example, to infer the schema of logs `sample_logs.jsonl` and output to `schema.yml`, use: Note that YAML keys and values are case sensitive. The tool will attempt to infer multiple timestamp formats. Learn more about schema inference on [Custom Logs](https://docs.panther.com/data-onboarding/custom-log-types#automatically-infer-the-schema-in-panther) . The workflow of inferring a schema from sample logs ### [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#infer-limitations) `infer` limitations The `infer` command will not mark any timestamp field as `isEventTime:true`. Make sure to select the appropriate `timestamp` field and mark it as `isEventTime:true`. For more information regarding `isEventTime:true`, see the [Timestamps section on Log Schema Reference](https://docs.panther.com/data-onboarding/custom-log-types/reference#timestamps) . The `infer` command is able to infer only the following types of [indicators](https://docs.panther.com/search/panther-fields#indicator-fields) : `ip`, `aws_arn`, `url`, `email`, `hash` digests (`MD5`, `SHA1` and `SHA2`), and `mac`. Make sure to review the fields and add more indicators as appropriate. It's strongly recommended to review the schema generated by the `infer` command, and edit it appropriately before deploying to your production environment. [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#parse-validate-a-schema) `parse`: Validate a schema ---------------------------------------------------------------------------------------------------------------------------------- You can use the tool to validate a schema file and use it to parse log files. Note that the events in the log files need to be separated by new line. Processed logs are written to `stdout` and errors to `stderr`. For example, to parse logs in `sample_logs.jsonl` with the log schema in `schema.yml`, use: The tool can also accept input via `stdin` so it can be used in a pipeline: [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#test-run-tests-for-a-schema) `test`: Run tests for a schema ------------------------------------------------------------------------------------------------------------------------------------------ You can use pantherlog to run unit tests for your custom schema. To run tests defined in a `schema_tests.yml` file for a custom schema defined in `schema.yml`, you would run: The first argument is a file or directory containing schema YAML files. The rest of the arguments are test files to run. If you don't specify any test files arguments, and the first argument is a directory, the tool will look for tests in YAML files with a `_tests.yml` or `_tests.yaml` suffix. ### [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#creating-a-schema-test-file) Creating a schema test file In your test file, include an `input` key containing the event to parse, and a `result` key containing the expected result. The pantherlog `test` command checks that the schema can parse the event without error, and that the normalized event matches your expected result. circle-info The `result` event should include any [Panther Standard Fields](https://docs.panther.com/search/panther-fields) that are expected to be injected into the event during parsing, such as `p_log_type`. Take note of [these instructions on working with `timeFormats` in schema tests](https://docs.panther.com/data-onboarding/custom-log-types/reference#working-with-timeformats-in-schema-tests) . circle-info For an example of writing multiple tests for one schema, see this article in Panther's Knowledge Base: [How can I write multiple pantherlog tests for a schema?arrow-up-right](https://help.panther.com/Data_Sources/Custom_Logs/How_can_I_write_multiple_pantherlog_tests_for_a_schema%3F) Example: schema\_tests.yml schema.yml ### [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#test-limitations) `test` limitations * The `test` command only supports JSON events. [hashtag](https://docs.panther.com/panther-developer-workflows/pantherlog#uploading-schemas-via-pat) Uploading schemas via PAT ----------------------------------------------------------------------------------------------------------------------------------- For information on uploading schemas via Panther Analysis Tool (PAT), see [Custom Logs: Uploading log schemas with the Panther Analysis Tool](https://docs.panther.com/data-onboarding/custom-log-types#uploading-log-schemas-with-the-panther-analysis-tool) . [PreviousManaging HTTP Log Sources with Terraformchevron-left](https://docs.panther.com/panther-developer-workflows/terraform/http) [NextConverting Sigma Ruleschevron-right](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules) Last updated 8 months ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/pantherlog#overview) * [pantherlog limitations](https://docs.panther.com/panther-developer-workflows/pantherlog#pantherlog-limitations) * [Download](https://docs.panther.com/panther-developer-workflows/pantherlog#download) * [list-schemas: List Panther-managed schemas](https://docs.panther.com/panther-developer-workflows/pantherlog#list-schemas-list-panther-managed-schemas) * [export-schemas: Export Panther-managed schemas](https://docs.panther.com/panther-developer-workflows/pantherlog#export-schemas-export-panther-managed-schemas) * [Export schemas to local directory](https://docs.panther.com/panther-developer-workflows/pantherlog#export-schemas-to-local-directory) * [Print schemas](https://docs.panther.com/panther-developer-workflows/pantherlog#print-schemas) * [Export select schemas](https://docs.panther.com/panther-developer-workflows/pantherlog#export-select-schemas) * [infer: Generate a schema from JSON log samples](https://docs.panther.com/panther-developer-workflows/pantherlog#infer-generate-a-schema-from-json-log-samples) * [infer limitations](https://docs.panther.com/panther-developer-workflows/pantherlog#infer-limitations) * [parse: Validate a schema](https://docs.panther.com/panther-developer-workflows/pantherlog#parse-validate-a-schema) * [test: Run tests for a schema](https://docs.panther.com/panther-developer-workflows/pantherlog#test-run-tests-for-a-schema) * [Creating a schema test file](https://docs.panther.com/panther-developer-workflows/pantherlog#creating-a-schema-test-file) * [test limitations](https://docs.panther.com/panther-developer-workflows/pantherlog#test-limitations) * [Uploading schemas via PAT](https://docs.panther.com/panther-developer-workflows/pantherlog#uploading-schemas-via-pat) Was this helpful? sun-brightdesktopmoon Copy ./pantherlog export-schemas --path directory-name Copy ./pantherlog export-schemas -p - Copy ./pantherlog export-schemas --path ./managed-schemas -s 'AWS.ALB,Slack.AuditLogs' Copy $ ./pantherlog infer --name SchemaName sample_logs.jsonl > schema.yml Copy $ ./pantherlog parse --path schema.yml --schemas Schema.Name sample_logs.jsonl Copy $ cat sample_logs.jsonl | ./pantherlog parse --path schema.yml Copy $ ./pantherlog test schema.yml schema_tests.yml Copy # Make sure to use camelCase when naming the schema or log type name: Custom Log Test Name logType: Custom.SampleLog.V1 input: | { "method": "GET", "path": "/-/metrics", "format": "html", "controller": "MetricsController", "action": "index", "status": 200, "params": [], "remote_ip": "1.1.1.1", "user_id": null, "username": null, "ua": null, "queue_duration_s": null, "correlation_id": "c01ce2c1-d9e3-4e69-bfa3-b27e50af0268", "cpu_s": 0.05, "db_duration_s": 0, "view_duration_s": 0.00039, "duration_s": 0.0459, "tag": "test", "time": "2019-11-14T13:12:46.156Z" } result: | { "action": "index", "controller": "MetricsController", "correlation_id": "c01ce2c1-d9e3-4e69-bfa3-b27e50af0268", "cpu_s": 0.05, "db_duration_s": 0, "duration_s": 0.0459, "format": "html", "method": "GET", "path": "/-/metrics", "remote_ip": "1.1.1.1", "status": 200, "tag": "test", "time": "2019-11-14T13:12:46.156Z", "view_duration_s": 0.00039, "p_log_type": "Custom.SampleLog.V1", "p_row_id": "acde48001122a480ca9eda991001", "p_event_time": "2019-11-14T13:12:46.156Z", "p_parse_time": "2022-04-04T16:12:41.059224Z", "p_any_ip_addresses": [\ "1.1.1.1"\ ] } Copy version: 0 schema: Custom.SampleLog.V1 fields: - name: action required: true type: string - name: controller required: true type: string - name: correlation_id required: true type: string - name: cpu_s required: true type: float - name: db_duration_s required: true type: bigint - name: duration_s required: true type: float - name: format required: true type: string - name: method required: true type: string - name: path required: true type: string - name: remote_ip required: true type: string indicators: - ip - name: status required: true type: bigint - name: tag required: false type: string - name: time required: true type: timestamp timeFormats: - rfc3339 isEventTime: true - name: view_duration_s required: true type: float sun-brightdesktopmoon --- # Field Discovery | Panther Docs [hashtag](https://docs.panther.com/data-onboarding/field-discovery#overview) Overview ------------------------------------------------------------------------------------------ Field discovery helps ensure that if a log source you've connected in Panther changes the structure of the events it generates upstream, you won't lose the data in changed fields. Log source schemas define how incoming raw events are parsed and stored in Panther by outlining which fields, for a given log type, Panther should expect to find. When an incoming event includes a field not defined in the corresponding schema: * **Without field discovery enabled**, data from this unrecognized field is dropped. * **With field discovery enabled**, the field is identified and its data stored. This means you can subsequently query data from these fields, and write detections referencing them. Field discovery is available for [custom log schemas](https://docs.panther.com/data-onboarding/custom-log-types) and many [Panther-managed schemas](https://docs.panther.com/data-onboarding/supported-logs) . circle-info Field discovery for Panther-managed schemas is in open beta starting with Panther version 1.114, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. [hashtag](https://docs.panther.com/data-onboarding/field-discovery#enabling-field-discovery) Enabling field discovery -------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/data-onboarding/field-discovery#enabling-field-discovery-1) Enabling field discovery for a custom schema To enable field discovery for a custom schema: * Follow these [Editing a custom schema](https://docs.panther.com/data-onboarding/custom-log-types#editing-a-custom-schema) instructions, making sure to toggle **Field Discovery** `ON` in the **Basic Info** section. ![In a Basic Info section, a Field Discovery toggle is set to ON.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-11b53f362289112bca115978cd3a46bfb35e458a%252FScreenshot%25202025-06-24%2520at%25203.51.19%25E2%2580%25AFPM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=951fab8f&sv=2) ### [hashtag](https://docs.panther.com/data-onboarding/field-discovery#enabling-field-discovery-for-a-panther-managed-schema) Enabling field discovery for a Panther-managed schema No action is required to enable field discovery for Panther-managed schemas—it is enabled by default for all schemas that support it. To determine if field discovery is enabled for a certain Panther-managed schema, see [the instructions below](https://docs.panther.com/data-onboarding/field-discovery#verifying-field-discovery-is-enabled) . ### [hashtag](https://docs.panther.com/data-onboarding/field-discovery#verifying-field-discovery-is-enabled) Verifying field discovery is enabled To verify field discovery is enabled for a (Panther-managed or custom) schema: 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Schemas**. 2. In the list, locate the schema for which you'd like to verify field discovery is enabled, and note the value in its **Field Discovery** column. ![In a table with four columns and two rows (excluding the header row), a column labeled "Field Discovery" is circled.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-b8e36a283a6fed6904a3dbd8e1080f067ba716c4%252FScreenshot%25202025-07-22%2520at%252011.54.06%25E2%2580%25AFAM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=a28694da&sv=2) [hashtag](https://docs.panther.com/data-onboarding/field-discovery#how-a-schema-is-changed-when-a-field-is-discovered) How a schema is changed when a field is discovered ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ When a field is discovered: * For a custom schema: The schema is updated to include the discovered field. * For a Panther-managed schema: The schema in your Panther instance is updated to include the discovered field. If the field is discovered with regularity and stability across multiple Panther instances, it may be promoted permanently to the Panther-managed schema. [hashtag](https://docs.panther.com/data-onboarding/field-discovery#handling-of-special-characters-in-field-names) Handling of special characters in field names -------------------------------------------------------------------------------------------------------------------------------------------------------------------- If the name of a discovered field contains a special character—i.e., a character that is not alphanumeric, an underscore (`_`), or a dash (`-`)— it will be transliterated using the algorithm below: * `@` to `at_sign` * `,` to `comma` * `` ` `` to `backtick` * `'` to `apostrophe` * `$` to `dollar_sign` * `*` to `asterisk` * `&` to `ambersand` * `!` to `exclamation` * `%` to `percent` * `+` to `plus` * `/` to `slash` * `\` to `backslash` * `#` to `hash` * `~` to `tilde` * `=` to `eq` Additionally, if a dash (`-`) or number is the first character of a field name, it will be transliterated. A dash becomes `dash`, and numbers are spelled out (e.g., `7` becomes `seven`). All other ASCII characters (including `space`) will be replaced with an underscore (`_`). Non-ASCII characters are transliterated to their closest ASCII equivalent. This transliteration affects only field names; values are not modified. [hashtag](https://docs.panther.com/data-onboarding/field-discovery#limitations-of-field-discovery) Limitations of field discovery -------------------------------------------------------------------------------------------------------------------------------------- Field discovery currently has the following limitations: * The maximum number of top-level fields that can be discovered is 2,000. Within each `object` field, a maximum of 1,000 fields can be discovered. * There is no limitation on the number of overall fields discovered. * If your schema uses the [`csv` parser](https://docs.panther.com/data-onboarding/custom-log-types/csv-parser) and you are parsing CSV logs without a header, only fields included in the `columns` section of your schema will be discovered. * This does not apply if your schema uses the [`csv` parser](https://docs.panther.com/data-onboarding/custom-log-types/csv-parser) and you are parsing CSV logs _with_ a header. * If your schema uses the [`fastmatch` parser](https://docs.panther.com/data-onboarding/custom-log-types/fastmatch-parser) , only fields defined inside the `match` patterns will be discovered. * If your schema uses the [`regex` parser](https://docs.panther.com/data-onboarding/custom-log-types/regex-parser) , only fields defined inside the `match` patterns will be discovered. [PreviousMonitoring Log Sourceschevron-left](https://docs.panther.com/data-onboarding/monitoring-log-sources) [NextIngestion Filterschevron-right](https://docs.panther.com/data-onboarding/ingestion-filters) Last updated 3 months ago Was this helpful? * [Overview](https://docs.panther.com/data-onboarding/field-discovery#overview) * [Enabling field discovery](https://docs.panther.com/data-onboarding/field-discovery#enabling-field-discovery) * [Enabling field discovery for a custom schema](https://docs.panther.com/data-onboarding/field-discovery#enabling-field-discovery-1) * [Enabling field discovery for a Panther-managed schema](https://docs.panther.com/data-onboarding/field-discovery#enabling-field-discovery-for-a-panther-managed-schema) * [Verifying field discovery is enabled](https://docs.panther.com/data-onboarding/field-discovery#verifying-field-discovery-is-enabled) * [How a schema is changed when a field is discovered](https://docs.panther.com/data-onboarding/field-discovery#how-a-schema-is-changed-when-a-field-is-discovered) * [Handling of special characters in field names](https://docs.panther.com/data-onboarding/field-discovery#handling-of-special-characters-in-field-names) * [Limitations of field discovery](https://docs.panther.com/data-onboarding/field-discovery#limitations-of-field-discovery) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Help | Panther Docs [hashtag](https://docs.panther.com/resources/help#overview) Overview ------------------------------------------------------------------------- This page helps provide resources for questions and issues with using Panther. ### [hashtag](https://docs.panther.com/resources/help#panthers-knowledge-base) Panther's Knowledge Base Panther's Knowledge Base (KB), found at [help.panther.comarrow-up-right](https://help.panther.com/) , contains articles that answer frequently asked questions and help you resolve common errors and issues. You can navigate through the topics on the home page, or you can use the search bar in the KB to find the information you need. ### [hashtag](https://docs.panther.com/resources/help#panther-community) Panther Community Panther's Slack Community is a place to connect with security experts, share detection code, and learn from other Panther users. If you'd like to join, visit the [Panther Community sign-uparrow-up-right](http://pnthr.io/community) page. ### [hashtag](https://docs.panther.com/resources/help#contact-panther-support) Contact Panther Support If you don't find the answer you need in the KB or via the resources listed below, you can contact Panther Support in the following ways: * Slack * Send a message in your Panther channel, then react to your message with the ticket emoji. * Email * Send a message to [\[email protected\]](https://docs.panther.com/cdn-cgi/l/email-protection) . * Pylon messenger * In the lower right-hand corner of your Panther Console, click the chat icon: ![A blue circle encompasses a white speaking bubble.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-8aad0691e53217a9e695a1f52b17783a540d104a%252FScreenshot%25202025-09-09%2520at%25203.25.14%25E2%2580%25AFPM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5e55bb7&sv=2) [hashtag](https://docs.panther.com/resources/help#helpful-panther-resources) Helpful Panther resources ----------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/resources/help#getting-started-with-panther) Getting started with Panther [Quick Startchevron-right](https://docs.panther.com/quick-start) ### [hashtag](https://docs.panther.com/resources/help#panther-glossary-of-terms) Panther glossary of terms [Glossarychevron-right](https://docs.panther.com/resources/help/glossary) ### [hashtag](https://docs.panther.com/resources/help#panthers-operational-monitoring-tools-and-architecture) Panther's operational monitoring, tools, and architecture [Operationschevron-right](https://docs.panther.com/resources/help/operations) ### [hashtag](https://docs.panther.com/resources/help#panther-security-and-privacy) Panther security and privacy [Security and Privacychevron-right](https://docs.panther.com/resources/help/security-privacy) ### [hashtag](https://docs.panther.com/resources/help#panther-and-statuspage-alerts) Panther and Statuspage alerts * Panther uses Statuspage to post about service incidents that affect or may affect multiple customers. * Visit our [Statuspagearrow-up-right](https://status.panther.com/) and subscribe to updates to receive notifications when there are interruptions to Panther’s service. ### [hashtag](https://docs.panther.com/resources/help#panther-prospective-customers) Panther prospective customers * If you are not an existing customer and would like to speak to a member of the Sales Team, [visit this page to request a demoarrow-up-right](https://panther.com/product/request-a-demo/) . [PreviousMCP Serverchevron-left](https://docs.panther.com/panther-developer-workflows/mcp-server) [NextOperationschevron-right](https://docs.panther.com/resources/help/operations) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/resources/help#overview) * [Panther's Knowledge Base](https://docs.panther.com/resources/help#panthers-knowledge-base) * [Panther Community](https://docs.panther.com/resources/help#panther-community) * [Contact Panther Support](https://docs.panther.com/resources/help#contact-panther-support) * [Helpful Panther resources](https://docs.panther.com/resources/help#helpful-panther-resources) * [Getting started with Panther](https://docs.panther.com/resources/help#getting-started-with-panther) * [Panther glossary of terms](https://docs.panther.com/resources/help#panther-glossary-of-terms) * [Panther's operational monitoring, tools, and architecture](https://docs.panther.com/resources/help#panthers-operational-monitoring-tools-and-architecture) * [Panther security and privacy](https://docs.panther.com/resources/help#panther-security-and-privacy) * [Panther and Statuspage alerts](https://docs.panther.com/resources/help#panther-and-statuspage-alerts) * [Panther prospective customers](https://docs.panther.com/resources/help#panther-prospective-customers) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Ingestion Filters | Panther Docs [hashtag](https://docs.panther.com/data-onboarding/ingestion-filters#overview) Overview -------------------------------------------------------------------------------------------- Ingestion filters let you define conditions under which incoming data should be dropped—i.e., not ingested into Panther. This dropped data will not contribute to your ingestion quota. These filters can be useful, then, to partially ingest high-volume logs that may have previously been cost-prohibitive when connected with Panther. Filtered-out events will not pass through detections, nor be stored in the data lake for later querying. After your filters have been configured, you can [monitor filtered event volume](https://docs.panther.com/data-onboarding/monitoring-log-sources#viewing-filtered-event-volume) . [hashtag](https://docs.panther.com/data-onboarding/ingestion-filters#types-of-ingestion-filters) Types of ingestion filters -------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/data-onboarding/ingestion-filters#raw-vs.-normalized-event-filters) Raw vs. normalized event filters There are two types of ingestion filters in Panther: * **Raw event filters**: Applied on data before it is parsed by a log schema * Learn more on [Raw Event Filters](https://docs.panther.com/data-onboarding/ingestion-filters/raw-event) . * **Normalized event filters**: Applied on data after it has been parsed by a log schema * Learn more on [Normalized Event Filters](https://docs.panther.com/data-onboarding/ingestion-filters/normalized-event) . circle-info If multiple raw or normalized filters are defined for a log source, there is no guarantee of the order they will run in. ### [hashtag](https://docs.panther.com/data-onboarding/ingestion-filters#inclusion-vs.-exclusion-filters) Inclusion vs. exclusion filters Both raw and normalized event filters can be created as inclusion or exclusion filters. * **Inclusion filters:** Events that match the filter will be ingested (so long as they are not dropped by another filter). Events that do not match the filter will be dropped. * **Exclusion filters:** Events that match the filter will be dropped. Events that do not match the filter will be ingested (so long as they are not dropped by another filter). [PreviousField Discoverychevron-left](https://docs.panther.com/data-onboarding/field-discovery) [NextRaw Event Filterschevron-right](https://docs.panther.com/data-onboarding/ingestion-filters/raw-event) Last updated 1 year ago Was this helpful? * [Overview](https://docs.panther.com/data-onboarding/ingestion-filters#overview) * [Types of ingestion filters](https://docs.panther.com/data-onboarding/ingestion-filters#types-of-ingestion-filters) * [Raw vs. normalized event filters](https://docs.panther.com/data-onboarding/ingestion-filters#raw-vs.-normalized-event-filters) * [Inclusion vs. exclusion filters](https://docs.panther.com/data-onboarding/ingestion-filters#inclusion-vs.-exclusion-filters) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Converting Sigma Rules | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#overview) Overview ------------------------------------------------------------------------------------------------------------- Use the [`sigma-cli`arrow-up-right](https://github.com/SigmaHQ/sigma-cli) tool to convert [Sigma rulesarrow-up-right](https://sigmahq.io/docs/basics/rules.html) into [Simple Detections](https://docs.panther.com/detections#simple-detections) or [Python detections](https://docs.panther.com/detections/rules/python) . In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM. Currently, only rules for [certain Panther log sources](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#supported-conversions) are supported for conversion. [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#installing-the-tool) Installing the tool ----------------------------------------------------------------------------------------------------------------------------------- To install the tool: 1. Install `sigma-cli`: * On MacOS, you can do so using Homebrew: `brew install sigma-cli` * On other platforms, follow [these installation instructionsarrow-up-right](https://github.com/SigmaHQ/sigma-cli#installation) . 2. Run the following command to install the Panther backend and pipelines: Copy sigma plugin install panther [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#upgrading-the-tool) Upgrading the tool --------------------------------------------------------------------------------------------------------------------------------- 1. Upgrade `sigma-cli`: * On MacOS, run `brew upgrade`. * On other platforms, rerun [these installation instructionsarrow-up-right](https://github.com/SigmaHQ/sigma-cli#installation) . 2. Upgrade the plugin by rerunning the installation command: Copy sigma plugin install panther [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#using-the-tool) Using the tool ------------------------------------------------------------------------------------------------------------------------- To use the conversion tool: 1. Navigate to your local directory of Sigma rules. 2. Run the conversion command: * The value of the processing pipeline flag (`-p`) differs depending on whether the source is a [cloud](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#cloud-log-sources) or [endpoint detection and response (EDR)](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#edr-log-sources) source. * Cloud log sources: Use `panther` (default) * EDR sources: See options in the [`sigma convert` flags](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#sigma-convert-flags) table, below * The value of the format flag (`-f`) can be one of the following: * `python` (default): Generates [Python Detections](https://docs.panther.com/detections/rules/python) * `sdyaml`: Generates [Simple Detections](https://docs.panther.com/detections/rules/writing-simple-detections) * Learn about additional command options in the [`sigma convert` flags](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#sigma-convert-flags) table, below. See the [Usage section of the `sigma-cli` `README`arrow-up-right](https://github.com/SigmaHQ/sigma-cli/tree/main#usage) for additional usage instructions. 3. Upload the converted rules to Panther using the [Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) or the [Bulk Uploaderarrow-up-right](https://docs.panther.com/panther-developer-workflows/ci-cd/deployment-workflows/pat/pat-commands#uploading-content-in-the-panther-console) . [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#supported-conversions) Supported conversions --------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#cloud-log-sources) Cloud log sources All cloud sources use the same conversion command: Source name Supported Panther schema(s) AWS CloudTrail [`AWS.CloudTrail`](https://docs.panther.com/data-onboarding/supported-logs/aws/cloudtrail#aws.cloudtrail) GCP Audit [`GCP.AuditLog`arrow-up-right](https://docs.panther.com/data-onboarding/supported-logs/gcp) GitHub [`GitHub.Audit`](https://docs.panther.com/data-onboarding/supported-logs/github) Okta [`Okta.SystemLog`](https://docs.panther.com/data-onboarding/supported-logs/okta#okta.systemlog) ### [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#edr-log-sources) EDR log sources This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems. Currently, the following Sigma log source categories are supported: * `process_creation` * `file_event` * `network_connection` Note that for EDR sources, the value of the processing pipeline flag (`-p`) is unique to each source. Source name Supported Panther schema(s) \-p flag value CrowdStrike [`Crowdstrike.FDREvent`](https://docs.panther.com/data-onboarding/supported-logs/crowdstrike/falcon-data-replicator#crowdstrike.fdrevent) `crowdstrike_panther` Carbon Black [`CarbonBlack.EndpointEvent`](https://docs.panther.com/data-onboarding/supported-logs/carbon-black#carbonblack.endpointevent) `carbon_black_panther` SentinelOne [`SentinelOne.DeepVisibilityV2`arrow-up-right](https://docs.panther.com/data-onboarding/supported-logs/sentinel-one) `sentinelone_panther` Windows Event [`Windows.EventLogs`](https://docs.panther.com/data-onboarding/supported-logs/windows-event-logs#windows.eventlogs) For Windows security logs: `windows_audit_panther` For Sysmon logs: `sysmon_panther` For other Windows log types, like PowerShell: `windows_logsource_panther` #### [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#crowdstrike-example-conversion-command) CrowdStrike example conversion command [hashtag](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#sigma-convert-flags) `sigma convert` flags ------------------------------------------------------------------------------------------------------------------------------------- Long name Short flag Options Description `--target` `-t` `panther` The Sigma backend to use `--pipeline` `-p` `panther` (default): for [cloud log sources](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#cloud-log-sources) `crowdstrike_panther` `carbon_black_panther` `sentinelone_panther` The log source pipeline to use `--format` `-f` `python` (default) `sdyaml` The output format of the converted rules `--skip-unsupported` `-s` None Using this flag is recommended when converting rules in bulk `--backend-option` `-O` `output_dir=...` The directory in which to save the converted rules `--help` None None View the help docs [Previouspantherlog Toolchevron-left](https://docs.panther.com/panther-developer-workflows/pantherlog) [NextMCP Serverchevron-right](https://docs.panther.com/panther-developer-workflows/mcp-server) Last updated 11 months ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#overview) * [Installing the tool](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#installing-the-tool) * [Upgrading the tool](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#upgrading-the-tool) * [Using the tool](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#using-the-tool) * [Supported conversions](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#supported-conversions) * [Cloud log sources](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#cloud-log-sources) * [EDR log sources](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#edr-log-sources) * [sigma convert flags](https://docs.panther.com/panther-developer-workflows/converting-sigma-rules#sigma-convert-flags) Was this helpful? sun-brightdesktopmoon Copy sigma convert -s -t panther -f -p path/to/rules -O output_dir=output/directory Copy sigma convert -s -t panther path/to/rules -O output_dir=output/directory Copy sigma convert -s -t panther -p crowdstrike_panther path/to/rules -O output_dir=output/directory sun-brightdesktopmoon --- # Using Panther-managed Detections | Panther Docs [hashtag](https://docs.panther.com/detections/panther-managed#overview) Overview ------------------------------------------------------------------------------------- Panther comes with a number of out-of-the-box Python detections, called Panther-managed detections. Panther has written the core logic of these detections and periodically releases improvements for them. Using Panther-managed detections not only saves you the effort of having to write your own from scratch, but also provides the ongoing benefit of receiving improvements to core detection logic over time, as Panther releases new versions. A Panther-managed detection can be: * [Enabled as-is](https://docs.panther.com/detections/panther-managed#enabling-and-disabling-panther-managed-detections) * Enabled and tuned with [Inline Filters](https://docs.panther.com/detections/panther-managed#inline-filters) and/or its [editable fields](https://docs.panther.com/detections/panther-managed#editable-fields) * Used as a Base Detection with [detection derivation](https://docs.panther.com/detections/rules/derived) * [Cloned and edited](https://docs.panther.com/detections/panther-managed#how-to-clone-a-panther-managed-detection) (cloned detections are not managed by Panther and do not receive continuous updates) You can work with Panther-managed detections in your Panther Console, or by using [Panther CLI workflows](https://docs.panther.com/panther-developer-workflows/overview) . Most Panther-managed detections are contained within [Detection Packs](https://docs.panther.com/detections/panther-managed/packs) —logical groupings of detections—though some aren't, typically because they require some additional configuration, such as adding custom values to an allowlist or denylist. Excluding these detections from Packs reduces the likelihood of them being enabled without the required configuration and generating false positive alerts. Some examples of Panther-managed detections that are not in a Pack are: * [AWS.Resource.RequiredTagsarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/19a9e47e347f711df173bcfe07b7db9cf003ed7e/policies/aws_account_policies/aws_resource_required_tags.py) * [AWS.GuardDuty.Enabledarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/cd220c87982011d4ad156c7daecd2857c358d154/policies/aws_guardduty_policies/aws_guardduty_enabled.py) * [Crowdstrike.DNS.Requestarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/19a9e47e347f711df173bcfe07b7db9cf003ed7e/rules/crowdstrike_rules/crowdstrike_dns_request.py) * [GCP.UnusedRegionsarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/7e124d51379de04aaf51b63c1561c09a7c7802bc/rules/gcp_audit_rules/gcp_unused_regions.py) * [GSuite.DriveVisibilityChangedarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/9d466d95ab9a4f8c2bb78ff8e77271edf45b7818/rules/gsuite_reports_rules/gsuite_drive_visibility_change.py) circle-info Currently, only Python Panther-managed detections are available for you to clone, modify and upload. Panther-managed Simple Detections are planned for a future release. [hashtag](https://docs.panther.com/detections/panther-managed#how-to-use-panther-managed-detections) How to use Panther-managed detections ----------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/detections/panther-managed#viewing-available-panther-managed-detections) Viewing available Panther-managed detections The full list of Panther-managed detections is viewable in the Console and on GitHub, as explained below. Console GitHub **Viewing available Panther-managed detections in the Panther Console** You can view Panther-managed detections in your Console: 1. In the left-hand navigation bar of your Panther Console, click **Detections**. 2. Click **Filters** icon. 3. In the **Created by** filter, choose **Created by Panther**. ![A "Filters" panel is shown, with various dropdown fields, including "Detection Types," "Severities" and "State."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-773bb5081dc32cb1dc61470d3d4378461613887f%252Fimage.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=c39f486c&sv=2) 4. Optionally, select the rule **Data Sources** you'd like to view detections for. 5. Click **Apply Filters**. circle-info Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones [listed above](https://docs.panther.com/detections/panther-managed#overview) ), contact your Panther support team for help loading it in. **Viewing available Panther-managed detections in GitHub** You can view all Panther-managed detections in Panther's public [panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) GitHub repository. They are located in the [rulesarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/master/rules) and [policiesarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/master/policies) subdirectories. ### [hashtag](https://docs.panther.com/detections/panther-managed#enabling-and-disabling-panther-managed-detections) Enabling and disabling Panther-managed detections Panther-managed detections can be enabled and disabled in your Panther Console or by using Panther CLI workflows: Console CLI **Enabling and disabling Panther-managed detections in the Panther Console** Panther-managed detections can be enabled and disabled in your Panther Console. To enable or disable a Panther-managed detection from the detections list page: 1. In the left-hand navigation bar of your Panther Console, click **Detections**. * Find the Panther-managed detection you'd like to enable or disable. 2. To the left of the detection name, click the checkbox. ![](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-b57e0f4c3eba2fd429d67229d6b2240f3ec2c081%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=1ddee24c&sv=2) 3. At the top of the page, click **Enable** or **Disable**. To enable or disable a Panther-managed detection from its details page: 1. In the left-hand navigation bar of your Panther Console, click **Detections**. * Find the Panther-managed detection you'd like to enable or disable. 2. Click the detection's name, to be taken to its details page. 3. In the upper right corner, switch the **Enabled** toggle ON or OFF. 4. In the upper right corner, click **Update**. circle-info Note that only Panther-managed detections included in a Pack are available by default in your Panther instance. If you would like to work with a Panther-managed detection not included in a Pack (like one of the ones [listed above](https://docs.panther.com/detections/panther-managed#overview) ), contact your Panther support team for help loading it in. **Enabling and disabling Panther-managed detections using the CLI workflow** Learn how to enable and disable Panther-managed detections using the CLI workflow in [Using the Panther detections repo](https://docs.panther.com/panther-developer-workflows/detections-repo) . ### [hashtag](https://docs.panther.com/detections/panther-managed#update-or-roll-back-a-panther-managed-detection) Update or roll back a Panther-managed detection To update your Panther-managed detection when Panther releases a new version (or revert to a previous one), follow the [Update or roll back Detection Pack instructions on Detection Packs](https://docs.panther.com/detections/panther-managed/packs#update-or-roll-back-detection-pack) . Note that only those Panther-managed detections included in Detection Packs are versioned, and therefore eligible to be updated or rolled back. ### [hashtag](https://docs.panther.com/detections/panther-managed#how-to-customize-a-panther-managed-detection) How to customize a Panther-managed detection You can customize a Panther-managed detection by adding [Inline Filters](https://docs.panther.com/detections/panther-managed#inline-filters) , modifying its [editable fields](https://docs.panther.com/detections/panther-managed#editable-fields) , or using [detection inheritance](https://docs.panther.com/detections/panther-managed#detection-inheritance) . These options allow you to add your own tuning and customizations while still receiving updates to core detection logic from Panther. If you need to modify the core rule logic of a Panther-managed detection (which is read-only), you can alternatively [clone and edit it](https://docs.panther.com/detections/panther-managed#how-to-clone-a-panther-managed-detection) . Because a cloned detection is managed by you, not Panther, it won't receive Panther's improvements to core detection logic over time. For this reason, we recommend using the customization techniques outlined in this section, if possible. #### [hashtag](https://docs.panther.com/detections/panther-managed#inline-filters) Inline Filters You can easily tune Panther-managed rules by adding Rule Filters. See [Modifying Detections with Inline Filters](https://docs.panther.com/detections/rules/inline-filters) for detailed instructions. Inline Filters will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version. Note that Inline Filters are applicable only to rules, not policies nor scheduled rules. #### [hashtag](https://docs.panther.com/detections/panther-managed#editable-fields) Editable fields Panther-managed detections, while disallowing you from editing core detection logic, do allow you to customize certain metadata fields in the Panther Console. (All _other_ fields will be greyed out in the Panther Console, and the **Rule Function** and **Unit Test** editors will be read-only.) These editable fields include: * Enabled / Disabled * Severity * Deduplication Period * Events Threshold * Destination Overrides * Runbook Any changes made to these fields in the Panther Console will be preserved if the customized detection is part of a Detection Pack, and the Pack is updated or reverted to a different version. You can make changes to the editable fields in the Panther Console: 1. In the left-hand navigation bar of your Panther Console, click **Build** > **Detections**. 2. Locate the detection you want to edit, then click on its name to be brought to its details page. 3. Scroll down to the **Set Alert Fields** section. 4. Make any desired changes to the detection. * Fields that are not editable will be greyed out. 5. Click **Update** in the upper right side of the page to save your changes. #### [hashtag](https://docs.panther.com/detections/panther-managed#detection-inheritance) Detection inheritance With detection inheritance, you can use Panther-managed detections as Base Detections, from which you can create your own Derived Detections. Derived Detections inherit the Base Detection's core logic, which is immutable, as well as its metadata field values, which can be overwritten. For more information, see [Detection Inheritance](https://docs.panther.com/detections/rules/derived) . [hashtag](https://docs.panther.com/detections/panther-managed#how-to-clone-a-panther-managed-detection) How to clone a Panther-managed detection ----------------------------------------------------------------------------------------------------------------------------------------------------- If a Panther-managed detection doesn't fit your needs, you can clone it, then edit the cloned copy: 1. In the left-hand navigation bar of your Panther Console, click **Build** > **Detections**. 2. Locate the detection you want to edit, then click on its name. 3. In the upper right corner of the detection's details page, click the three dots > **Clone**. ![A three dots icon has been selected, and its menu is shown. There is an arrow pointing form the three dots to the first item in the menu, "Clone."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-45aa67fb884895ddbdceeb69c6c57cf62246b17b%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=1f7c0686&sv=2) 4. You will be redirected to the standard detection creation interface. Optionally update the cloned detection's **Name**. * The name of a cloned detection, by default, will have `(Copy)` appended to it. 5. In the upper-right corner, click **Continue**. 6. On the cloned detection's details page, make any desired changes to your cloned copy of the detection. * The **Enabled** toggle will default to the enabled status of the original detection, i.e., if the Panther-managed detection was disabled, the toggle will be set to OFF. 7. In the upper-right corner, click **Save.** ![The new detection page is shown, with the detection name filled in with Cloudflare Bot High Volume GreyNoise (Copy). There is a Log Types field shown, along with the Rule Function editor. There is an arrow pointing to the Save button in the upper-right corner.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-bffe08ac0f579d6a396ef49a355d66093d78eb03%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=f3c632dd&sv=2) Note that cloning and editing a detection does not changed the Enabled status of the original detection. This means if the original Panther-managed detection was enabled but you intend for your customized copy to _replace_ it, you must go back and disable the Panther-managed detection. The cloned detection will not be managed by Panther or receive continuous updates (as Panther-managed detections included in Detection Packs do). The original version of the detection (if contained in a Pack) will continue to receive updates as normal, whether it is enabled or disabled. [hashtag](https://docs.panther.com/detections/panther-managed#alert-runbooks-for-panther-managed-detections) Alert runbooks for Panther-managed detections --------------------------------------------------------------------------------------------------------------------------------------------------------------- An alert runbook is a set of directions for remediating an issue that triggered an alert. Panther provides alert runbooks for a number of Panther-managed policies and rules—find them in [Alert Runbooks](https://docs.panther.com/alerts/alert-runbooks) . [PreviousDetectionschevron-left](https://docs.panther.com/detections) [NextDetection Packschevron-right](https://docs.panther.com/detections/panther-managed/packs) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/detections/panther-managed#overview) * [How to use Panther-managed detections](https://docs.panther.com/detections/panther-managed#how-to-use-panther-managed-detections) * [Viewing available Panther-managed detections](https://docs.panther.com/detections/panther-managed#viewing-available-panther-managed-detections) * [Enabling and disabling Panther-managed detections](https://docs.panther.com/detections/panther-managed#enabling-and-disabling-panther-managed-detections) * [Update or roll back a Panther-managed detection](https://docs.panther.com/detections/panther-managed#update-or-roll-back-a-panther-managed-detection) * [How to customize a Panther-managed detection](https://docs.panther.com/detections/panther-managed#how-to-customize-a-panther-managed-detection) * [How to clone a Panther-managed detection](https://docs.panther.com/detections/panther-managed#how-to-clone-a-panther-managed-detection) * [Alert runbooks for Panther-managed detections](https://docs.panther.com/detections/panther-managed#alert-runbooks-for-panther-managed-detections) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Derived Detections | Panther Docs [hashtag](https://docs.panther.com/detections/rules/derived#overview) Overview ----------------------------------------------------------------------------------- You can create one or more Derived Detections from a single Base Detection in Panther. Derived Detections inherit the Base Detection's core logic, which is immutable, as well as its metadata and alert field values, which can be overwritten. Detection derivation is available for rules created as [Simple Detections](https://docs.panther.com/detections#simple-detections) or [Python Detections](https://docs.panther.com/detections/rules/python) . ### [hashtag](https://docs.panther.com/detections/rules/derived#use-cases-for-derived-detections) Use cases for Derived Detections Derivation can be particularly useful when: * You maintain multiple copies of the same rule, each with different metadata * In the CLI workflow, you use and customize [Panther-managed rules](https://docs.panther.com/detections/panther-managed) , and want to avoid having to resolve merge conflicts when Panther releases updates * See a full example on [Using Derived Detections to Avoid Merge Conflicts](https://docs.panther.com/detections/rules/derived/using-derived-detections-to-avoid-merge-conflicts) * You'd like the ability to, while responding to an incident, deploy multiple variations of one detection to gather telemetry that can inform your next decision * One member of your team (e.g., a Head of Threat Research) would like to create a set of Base Detections that others (e.g., SOC Analysts) can modify [hashtag](https://docs.panther.com/detections/rules/derived#base-detections-and-derived-detections) Base Detections and Derived Detections ----------------------------------------------------------------------------------------------------------------------------------------------- A Base Detection is any custom or [Panther-managed](https://docs.panther.com/detections/panther-managed) rule from which a Derived Detection has been created. A Derived Detection is created from a Base Detection and: * Inherits the core detection logic of the Base Detection * The core detection logic is defined in the Base Detection's `rule()` function (for Python detections) or `Detection` field (for Simple Detections). * A Derived Detection cannot specify its own detection logic—if in the CLI workflow a Derived Detection includes a `Detection` key, for example, its contents will be ignored. * Inherits the Base Detection's metadata/alert field values, but can overwrite certain fields * See [Limitations of detection derivation](https://docs.panther.com/detections/rules/derived#limitations-of-detection-derivation) for a full list of fields that can be overwritten today. * An override made in a Derived Detection completely replaces the field's value it inherited from the Base Detection. For example, if both a Base Detection and Derived Detection define an [Inline Filter](https://docs.panther.com/detections/rules/inline-filters) (in the `InlineFilters` key in the CLI workflow or **Filter to only include events** field in the Console), only the Derived Detection's Inline Filter will be applied. * Overrides can only be made in one direction, i.e., overrides made on a Derived Detection do not affect Base Detection values. For example, if a Base Detection has `Enabled: False` and its Derived Detection has `Enabled: True`, only the Derived Detection will be enabled. ### [hashtag](https://docs.panther.com/detections/rules/derived#what-happens-when-a-base-detection-is-updated) What happens when a Base Detection is updated When the core logic of a Base Detection is updated, the change is propagated to all associated Derived Detections. When the metadata of a Base Detection is updated, if an associated Derived Detection has already overwritten the value(s) of the updated field(s), there is no change. If an associated Derived Detection has not overwritten the value(s) of the updated field(s), the metadata update is propagated to the Derived Detection. ### [hashtag](https://docs.panther.com/detections/rules/derived#disable-base-detections-to-avoid-duplicate-alerts) Disable Base Detections to avoid duplicate alerts In most cases, Base and Derived Detections are run over the same set of incoming logs (although it is possible to use [Inline Filters](https://docs.panther.com/detections/rules/inline-filters) to target different events). In this scenario, because the detections share core logic, if they are both enabled, they will generate duplicate alerts. To avoid this, disable the Base Detection. When a disabled Base Detection is updated, its changes will still propagate to its Derived Detections [as described above](https://docs.panther.com/detections/rules/derived#what-happens-when-a-base-detection-is-updated) . #### [hashtag](https://docs.panther.com/detections/rules/derived#automatically-disabling-base-detections-in-the-cli-workflow) Automatically disabling Base Detections in the CLI workflow In the CLI workflow, there are two ways that you can automatically disable Base Detections: * **Option 1 (Recommended)**: Add the following setting to your `.panther_settings.yml` file: * **Option 2**: Use `--auto-disable-base` with the [Panther Analysis Tool `upload` command](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#upload-uploading-packages-to-panther-directly) . * When following this option, note that `--auto-disable-base` must be used with every subsequent upload invocation. If it is omitted, Base Detections will be re-enabled. circle-exclamation If one or more of your Base Detections has already been uploaded to your Panther instance in an enabled state and you then use one of the above methods to automatically disable Base Detections, ensure you are not including `--filter enabled: true` on your [PAT `upload` command](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#upload-uploading-packages-to-panther-directly) . If you do, Base Detections will be disabled before `upload` (when the `enabled: true` filter is applied), meaning the newly disabled Base Detections won't be re-uploaded to your Panther instance (leaving them as-is, or enabled). [hashtag](https://docs.panther.com/detections/rules/derived#how-to-create-a-derived-detection) How to create a Derived Detection ------------------------------------------------------------------------------------------------------------------------------------- Panther Console CLI workflow **Creating a Derived Detection in the Panther Console** 1. In the left-hand navigation bar of the Panther Console, click **Detections**. 2. Locate the detection you would like to become the Base Detection for a new Derived Detection, and click its name. 3. In the upper-right corner, click `...`. 4. Click **Derive**: ![In the Panther Console, the three dots menu on a detection's page is open, and the Derive option is circled.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-76e78c4dfce2f10d543e063c220b754f6758b6f3%252FScreenshot%25202023-11-09%2520at%252012.04.44%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=e3232c78&sv=2) 5. On the **Basic Info** page, optionally edit the **Name** and **ID** fields for the Derived Detection. * Ensure the name is distinguishable from the Base Detection's name. 6. Click **Continue**. 7. Scroll down to the **Filter** and **Set Alert Fields** sections, and set desired overrides to Inline Filters and alert fields: ![The edit detection page in the Panther Console is shown. A Filter section is visible, along with a Set Alert Fields section. Within the latter are sub-sections for Required Fields and Optional Fields.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-3a5d463bf5186c6ea31672fc18baa66c63f2e850%252FScreenshot%25202023-11-14%2520at%252012.24.35%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=7f1bc811&sv=2) 8. In the upper-right corner, click **Deploy**. * The detection will have a `DERIVED` label: ![The word "DERIVED" is shown in teal.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-ff5df9a84be3cd8e9b66db69e181bd778f7a176f%252FScreenshot%25202023-11-14%2520at%252012.31.51%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=6583c4b3&sv=2) **Creating a Derived Detection in the CLI workflow** 1. In the directory where you use the [Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) , create a new YAML file for your Derived Detection. 2. In this YAML file, add the following fields, which are required for Derived Detections: * `BaseDetection`: Provide the rule ID of any rule currently present in your Panther instance or in the local directory you will upload using PAT. * The `BaseDetection` key is the link between this Derived Detection and its Base Detection, and is what indicates that inheritance should be applied. * `RuleID`: Provide a value that is different than the ID supplied earlier for the `BaseDetection` key. * `AnalysisType`: Indicate whether this is a `rule`, `scheduled_rule`, or `policy`. * Currently, only rules are supported. 3. Add the metadata fields you would like to override, and their new values. * See the [Limitations](https://docs.panther.com/detections/rules/derived#limitations-of-detection-derivation) section for a list of available override fields. * It's possible to use the [dynamic alert fields outlined here](https://docs.panther.com/detections/rules/writing-simple-detections#dynamic-alert-keys-in-simple-detections) . 4. Upload your detection using the [`panther_analysis_tool upload`](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#upload-uploading-packages-to-panther-directly) command. * It's recommended to [automatically disable Base Detections](https://docs.panther.com/detections/rules/derived#automatically-disabling-base-detections-in-the-cli-workflow) . **CLI workflow example** Below is an example of a Python Base Detection ([a standard detection in the panther-analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/main/rules/auth0_rules/auth0_mfa_policy_enabled.yml) ), and below it, its Derived Detection. [hashtag](https://docs.panther.com/detections/rules/derived#how-to-view-all-derived-detections) How to view all Derived Detections --------------------------------------------------------------------------------------------------------------------------------------- To view all Derived Detections in your Panther instance: 1. In the left-hand navigation bar of your Panther Console, click **Detections**. 2. Click **Filters** icon. ![](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-32af1a963a2a7704ebb1c8b50559712de6f99dfc%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=3230e350&sv=2) 3. In the **Detection Types** dropdown field, select **Derived Rule**. 4. Click **Apply Filters**. [hashtag](https://docs.panther.com/detections/rules/derived#limitations-of-detection-derivation) Limitations of detection derivation ----------------------------------------------------------------------------------------------------------------------------------------- * Derivation is not available for [Scheduled Rules](https://docs.panther.com/detections/rules) or [Policies](https://docs.panther.com/detections/policies) . * Only one level of derivation is possible, i.e. a Derived Detection cannot be derived _from._ * In the Console workflow, tests are inherited when the Derived Detection is created, but not thereafter when the Base Detection's tests are updated. * If, in a Python Base Detection, the value of a metadata field is set using a Python function, that value will take precedence over an equivalent static override value supplied in a Derived Detection. For example, if a Python [`severity()`](https://docs.panther.com/detections/rules/python#severity) function is present in the Base Detection, its value will take precedence over the Derived Detection's override value supplied in the `Severity` YAML key (in the CLI workflow) or the **Severity** field (in the Console). * See a full list of the Python functions that set metadata values (called "Alert functions"), as well as which fields in YAML/the Console they override, in the [Alert functions in Python detections](https://docs.panther.com/detections/rules/python#alert-functions-in-python-detections) table. * It _is_ possible to overwrite values set by certain Python alert functions by using [dynamic alert keys](https://docs.panther.com/detections/rules/writing-simple-detections#dynamic-alert-keys-in-simple-detections) in your Derived Detection. For example, you can override the value of your Python Base Detection's [`severity()`](https://docs.panther.com/detections/rules/python#severity) function in your Derived Detection by using the [`DynamicSeverities`](https://docs.panther.com/detections/rules/writing-simple-detections#dynamicseverities) field. * [`DynamicSeverities`](https://docs.panther.com/detections/rules/writing-simple-detections#dynamicseverities) overrides [`severity()`](https://docs.panther.com/detections/rules/python#severity) * [`AlertTitle`](https://docs.panther.com/detections/rules/writing-simple-detections#alerttitle) overrides [`title()`](https://docs.panther.com/detections/rules/python#title) * [`AlertContext`](https://docs.panther.com/detections/rules/writing-simple-detections#alertcontext) overrides [`alert_context()`](https://docs.panther.com/detections/rules/python#alert_context) * [`GroupBy`](https://docs.panther.com/detections/rules/writing-simple-detections#groupby) overrides [`dedup()`](https://docs.panther.com/detections/rules/python#dedup) * If you are creating a Derived Detection in the Console workflow and the Base Detection is a Python detection, you cannot set any alert fields dynamically—they may only be set statically. * It _is_ possible to dynamically set alert fields in the Console workflow if the Base Detection is a Simple detection. * It _is_ possible to dynamically set alert fields in the CLI workflow (using [`AlertTitle`](https://docs.panther.com/detections/rules/writing-simple-detections#alerttitle) , [`DynamicSeverities`](https://docs.panther.com/detections/rules/writing-simple-detections#groupby) , [`AlertContext`](https://docs.panther.com/detections/rules/writing-simple-detections#alertcontext) , and [`GroupBy`](https://docs.panther.com/detections/rules/writing-simple-detections#groupby) ) regardless of whether the Base Detection is a Python or YAML detection. * Currently, only the below fields can be overwritten. These are YAML field names, applicable to the CLI workflow—for those with equivalent fields in the Console, those Console fields may also be overwritten. * `Enabled` * `Severity` * `Description` * `CreateAlert` * `DedupPeriodMinutes` * `InlineFilters` * `DisplayName` * `OnlyUseBaseRiskScore` * `OutputIds` * `Reference` * `Runbook` * `SummaryAttributes` * `Threshold` * `Tags` * `Reports` * `DynamicSeverities` * `AlertTitle` * `AlertContext` * `GroupBy` * `Tests` [PreviousModifying Detections with Inline Filterschevron-left](https://docs.panther.com/detections/rules/inline-filters) [NextUsing Derived Detections to Avoid Merge Conflictschevron-right](https://docs.panther.com/detections/rules/derived/using-derived-detections-to-avoid-merge-conflicts) Last updated 7 days ago Was this helpful? * [Overview](https://docs.panther.com/detections/rules/derived#overview) * [Use cases for Derived Detections](https://docs.panther.com/detections/rules/derived#use-cases-for-derived-detections) * [Base Detections and Derived Detections](https://docs.panther.com/detections/rules/derived#base-detections-and-derived-detections) * [What happens when a Base Detection is updated](https://docs.panther.com/detections/rules/derived#what-happens-when-a-base-detection-is-updated) * [Disable Base Detections to avoid duplicate alerts](https://docs.panther.com/detections/rules/derived#disable-base-detections-to-avoid-duplicate-alerts) * [How to create a Derived Detection](https://docs.panther.com/detections/rules/derived#how-to-create-a-derived-detection) * [How to view all Derived Detections](https://docs.panther.com/detections/rules/derived#how-to-view-all-derived-detections) * [Limitations of detection derivation](https://docs.panther.com/detections/rules/derived#limitations-of-detection-derivation) Was this helpful? sun-brightdesktopmoon Copy auto_disable_base: true # ... other settings ... Copy # Base Detection AnalysisType: rule Description: An Auth0 User enabled MFA Policy for your organization's tenant. DisplayName: "Auth0 MFA Policy Enabled" Enabled: True Filename: auth0_mfa_policy_enabled.py Runbook: Assess if this was done by the user for a valid business reason and was expected. This alert indicates a setting change that aligns with best security practices, follow-up may be unnecessary. Severity: Medium DedupPeriodMinutes: 60 LogTypes: - Auth0.Events RuleID: "Auth0.MFA.Policy.Enabled" Threshold: 1 Tests: - ExpectedResult: True Log: data: client_id: 1HXWWGKk1Zj3JF8GvMrnCSirccDs4qvr client_name: "" date: "2023-05-16 17:26:16.782000000" description: Set the Multi-factor Authentication policies details: request: auth: credentials: jti: 0107c849078d8d889af711840197ba7c scopes: - create:actions - create:actions_log_sessions # shortened for brevity strategy: jwt user: email: [email protected] name: User Name user_id: google-oauth2|105261262156475850461 body: - all-applications channel: https://manage.auth0.com/ ip: 12.12.12.12 method: put path: /api/v2/guardian/policies query: {} userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 response: body: - all-applications statusCode: 200 ip: 12.12.12.12 log_id: "90020230515215719063964000000000000001223372037488829643" type: sapi user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 user_id: google-oauth2|105261262156475850461 log_id: "90020230515215719063964000000000000001223372037488829643" p_any_ip_addresses: - 12.12.12.12 p_any_usernames: - google-oauth2|105261262156475850461 p_event_time: "2023-05-16 17:26:16.782" p_log_type: Auth0.Events p_parse_time: "2023-05-16 17:28:28.572" p_row_id: 2660c447622fa4c3dbb08f9918979102 p_schema_version: 0 p_source_id: b9031579-b2c5-45c2-b15c-632b995a4e36 p_source_label: Org Auth0 Tenant Label Name: MFA Policy Enabled First Copy # Derived Detection # Required fields AnalysisType: rule RuleID: "Auth0.MFA.Policy.Enabled.Custom.Severity" BaseDetection: "Auth0.MFA.Policy.Enabled" # Fields being overwritten (i.e., overriding the default values inherited from the Base Detection) DisplayName: "Auth0 MFA Policy Enabled - Severity Critical" Enabled: True Severity: Critical Description: An Auth0 User enabled MFA Policy for your organization's tenant - severity overridden to critical. sun-brightdesktopmoon --- # Standard Fields | Panther Docs Panther's log analysis applies normalization fields (IPs, domains, etc) to all log records. These fields provide standard names for attributes across all data sources enabling fast and easy data correlation. For example, each data source has a time that an event occurred, but each data source will likely not name the attribute the same, nor is it guaranteed that the associated time has a timezone consistent with other data sources. The Panther `p_event_time` attribute is mapped to each data source's corresponding event time and [normalized to UTC](https://docs.panther.com/data-onboarding/custom-log-types/reference#timestamps) . This means while querying multiple data sources, you can join and order by `p_event_time`, despite the disparate schemas of each data source. circle-info All appended standard fields begin with `p_.` [hashtag](https://docs.panther.com/search/panther-fields#required-fields) Required Fields ---------------------------------------------------------------------------------------------- The fields below are appended to all log records: **Field name** **Type** **Description** `p_log_type` `string` The type of log. `p_row_id` `string` Unique id (UUID) for the row. `p_event_time` `timestamp` The associated event time for the log type is copied here and normalized to UTC. Format: `YYYY-MM-DD HH:MM:SS.fff` `p_parse_time` `timestamp` The current time when the event was parsed, normalized to UTC. Format: `YYYY-MM-DD HH:MM:SS.fff` `p_schema_version` `integer` The version of the schema used for this row. `p_source_id` `string` The Panther generated internal id for the source integration. `p_source_label` `string` The user supplied label for the source integration (may change if edited). `p_source_file` `object` Available for S3 sources only, this field contains metadata of the file that this event originated from, including the bucket name and object key. circle-info If an event does not have a timestamp, then `p_event_time` will be set to `p_parse_time`, which is the time the event was parsed. The `p_source_id` and `p_source_label` fields indicate where the data originated. For example, you might have multiple CloudTrail sources registered with Panther, each with a unique name (e.g., "Dev Accounts", "Production Accounts", "HR Accounts", etc.). These fields allow you to separate data based on the source, which is beneficial when configuring detections in Panther. In addition, the fields below are appended to log records of all tables in the `panther_rule_matches` database: **Field name in panther\_rule\_matches** **Type** **Description** `p_alert_id` `string` Id of alert related to row. `p_alert_creation_time` `timestamp` Time of alert creation related to row. `p_alert_context` object A JSON object returned from the rule's alert\_context() function. `p_alert_severity` `string` The severity level of the rule at the time of the alert. This could be different from the default severity as it can be dynamically set. `p_alert_update_time` `timestamp` Time of last alert update related to row. `p_rule_id` `string` The id of the rule that generated the alert. `p_rule_error` `string` The error message if there was an error running the rule. `p_rule_reports` `map[string]array[string]` List of user defined rule reporting tags related to row. `p_rule_severity` `string` The default severity of the rule. `p_rule_tags` `array[string]` List of user defined rule tags related to row. [hashtag](https://docs.panther.com/search/panther-fields#indicator-fields) Indicator Fields ------------------------------------------------------------------------------------------------ A common security question is, “Was `some indicator` ever observed in _any_ of our logs?” Panther's [Search](https://docs.panther.com/search/search-tool) tool enables you to find the answer by searching across data from all of your various log sources. As log events are ingested, the [`indicators` field](https://docs.panther.com/data-onboarding/custom-log-types/reference#indicators) in their corresponding schema identifies which fields should have their values extracted into `p_any_` fields, which are appended to and stored with the event. The table below shows which `p_any_` field(s) data is extracted into, by `indicator`. All `p_any_` fields are lists. When constructing a custom schema, you can use the values in the Indicator Name column in the table below in your schema's [`indicators` field](https://docs.panther.com/data-onboarding/custom-log-types/reference#indicators) . Each of the rows (except for `hostname`, `net_addr`, and `url`) corresponds to a "Panther Fields" option in [Search](https://docs.panther.com/search/search-tool) . Note that field name/value pairs outside of the fields in the table below can be searched with [Search's key/value filter expression](https://docs.panther.com/search/search-tool#key-value-filter-expression) functionality—though because those fields have not been mapped to corresponding ones (with different syntax) in different log sources, only matches from log sources containing the exact field name searched will be returned. circle-info In order for a field to be designated as an indicator in a schema, it must be type `string`. Indicator Name Extracted into fields Description actor\_id p\_any\_actor\_ids Append value to p\_any\_actor\_ids. aws\_account\_id p\_any\_aws\_account\_ids If the value is a valid AWS account id, append to p\_any\_aws\_account\_ids. aws\_arn p\_any\_aws\_arns, p\_any\_aws\_instance\_ids, p\_any\_aws\_account\_ids, p\_any\_emails If value is a valid AWS ARN then append to p\_any\_aws\_arns. If the ARN contains an AWS account id, extract and append to p\_any\_aws\_account\_ids. If the ARN contains an EC2 instance id, extract and append to p\_any\_aws\_instance\_ids. If the ARN references an AWS STS Assume Role and contains and email address, then extract email address into p\_any\_emails. aws\_instance\_id p\_any\_aws\_instance\_ids If the value is a valid AWS instance id then append to p\_any\_aws\_instance\_ids. aws\_tag p\_any\_aws\_tags Append value into p\_any\_aws\_tags. cve p\_any\_cves Extract any values matching the regex `^[Cc][Vv][Ee]-\d{4}-\d+$` and append to p\_any\_cves domain p\_any\_domain\_names Append value to p\_any\_domain\_names. email p\_any\_emails If value is a valid email address then append value into p\_any\_emails. The portion of the value that precedes `@` will also be populated in p\_any\_usernames hostname p\_any\_domain\_names, p\_any\_ip\_addresses Append value to p\_any\_domain\_names. If value is a valid ipv4 or ipv6 address then append to p\_any\_ip\_addresses. ip p\_any\_ip\_addresses If value is a valid ipv4 or ipv6 address then append to p\_any\_ip\_addresses. mac p\_any\_mac\_addresses If a value is a valid IEEE 802 MAC-48, EUI-48, EUI-64, or a 20-octet IP over InfiniBand link-layer address then append to p\_any\_mac\_addresses. md5 p\_any\_md5\_hashes If the value is a valid md5 then append value into p\_any\_md5\_hashes. mitre\_attack\_technique p\_any\_mitre\_attack\_techniques Extract any values matching the regex `\b[Tt]\d{4}(?:\.\d{3})?\b` and append to p\_any\_mitre\_attack\_techniques. For example, if the field value is `"Technique: T1234"`, p\_any\_mitre\_attack\_techniques would have a value of `["T1234"]` net\_addr p\_any\_domain\_names, p\_any\_ip\_addresses Extracts from values of the form `:` and appends host portion to p\_any\_domain\_names. If host portion is a valid ipv4 or ipv6 address, then append to p\_any\_ip\_addresses. serial\_number p\_any\_serial\_numbers Append value to p\_any\_serial\_numbers. sha1 p\_any\_sha1\_hashes If the value is a valid sha1 then append to p\_any\_sha1\_hashes. sha256 p\_any\_sha256\_hashes If the value is a valid sha256 then append to p\_any\_sha256\_hashes. trace\_id p\_any\_trace\_ids Append value to p\_any\_trace\_ids. Tag fields such as session ids and document ids that are used to associated elements with other logs in order to trace the full activity of a sequence of related events. url p\_any\_domain\_names, p\_any\_ip\_addresses Parse url, extract the host portion after "http://" or "https://". Append host portion to p\_any\_domain\_names. If host portion is a valid ipv4 or ipv6 address then append to p\_any\_ip\_addresses. username p\_any\_usernames Append value into p\_any\_usernames. This field is also populated with values marked with the `email` indicator. The portion of the email value that precedes `@` will be appended to this field. [hashtag](https://docs.panther.com/search/panther-fields#enrichmentfields) Enrichment Fields ------------------------------------------------------------------------------------------------- The Panther rules engine will take the looked-up matches from [Lookup Tables](https://docs.panther.com/enrichment/custom) and append that data to the event using the key `p_enrichment` in the following JSON structure: Enrichment Field Name Type Description of Enrichment Field `p_enrichment` object Dictionary of lookup results where matching rows were found. `p_match` string `p_match` is injected into the data of each matching row within `p_enrichment`. Its value is the value that matched in the event. [hashtag](https://docs.panther.com/search/panther-fields#the-all_logs-view) The "all\_logs" view ----------------------------------------------------------------------------------------------------- Panther manages a view over all data sources with standard fields. This allows you to answer questions such as, "Was there _any_ activity from `some-bad-ip`, and if so, where?" The query below will show how many records, by log type, are associated with the IP address `95.123.145.92`: From these results, you can pivot to the specific logs where activity is indicated. [hashtag](https://docs.panther.com/search/panther-fields#standard-fields-in-detections) Standard Fields in detections -------------------------------------------------------------------------------------------------------------------------- The Panther standard fields can be used in detections. For example, the Python rule below triggers when any GuardDuty alert is on a resource tagged as `Critical`: [PreviousPanther-Managed Dashboardschevron-left](https://docs.panther.com/search/visualization-and-dashboards/panther-managed) [NextSaved and Scheduled Searcheschevron-right](https://docs.panther.com/search/scheduled-searches) Last updated 1 month ago Was this helpful? * [Required Fields](https://docs.panther.com/search/panther-fields#required-fields) * [Indicator Fields](https://docs.panther.com/search/panther-fields#indicator-fields) * [Enrichment Fields](https://docs.panther.com/search/panther-fields#enrichmentfields) * [The "all\_logs" view](https://docs.panther.com/search/panther-fields#the-all_logs-view) * [Standard Fields in detections](https://docs.panther.com/search/panther-fields#standard-fields-in-detections) Was this helpful? sun-brightdesktopmoon Copy { 'p_enrichment': { : { : , ... : , } } } Copy SELECT p_log_type, count(1) AS row_count FROM panther_views.public.all_logs WHERE p_occurs_between('2020-1-30', '2020-1-31') AND array_contains('95.123.145.92'::variant, p_any_ip_addresses) GROUP BY p_log_type Copy def rule(event): if 'p_any_aws_tags' in event: for tag in event['p_any_aws_tags']: if 'critical' in tag: return True return False sun-brightdesktopmoon --- # Saved and Scheduled Searches | Panther Docs [hashtag](https://docs.panther.com/search/scheduled-searches#overview) Overview ------------------------------------------------------------------------------------ You can avoid repeatedly creating the same searches in Panther's [Data Explorer](https://docs.panther.com/search/data-explorer) and [Search](https://docs.panther.com/search/search-tool) by saving your searches. You can also schedule searches created in Data Explorer, which allows you to then run results against a rule. This workflow includes the following features: * [Create a Saved Search](https://docs.panther.com/search/scheduled-searches#how-to-create-a-saved-search) , a preserved search expression. * [Create a Scheduled Search](https://docs.panther.com/search/scheduled-searches#how-to-create-a-scheduled-search) , a Saved Search that you can schedule to run on a designated interval. * [Create a Scheduled Rule](https://docs.panther.com/detections/rules#how-to-write-scheduled-rules) , a detection that's associated with a Scheduled Search. The data returned each time the search executes is run against the detection, alerting when matches are found. By default, each Panther account is limited to 10 active Scheduled Searches. This limit is only precautionary, and can be increased via a support request. There is no additional cost from Panther for raising this limit, however you may incur extra charges from the database backend, depending on the volume of data processed. circle-info In the [CLI workflowarrow-up-right](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/search/scheduled-searches/broken-reference/README.md) , Saved and Scheduled Searches are often referred to as queries. [hashtag](https://docs.panther.com/search/scheduled-searches#how-to-create-a-saved-search) How to create a Saved Search ---------------------------------------------------------------------------------------------------------------------------- A Saved Search is a preserved search expression. Saving the searches your team runs frequently can help reduce duplicated work. You can create Saved Searches in the Panther Console (in either Search or Data Explorer), using the CLI workflow (PAT), or with the Panther API. You can also add variables in your Saved Searches, creating Templated Queries. Learn more on [Templated Queries and Macros](https://docs.panther.com/search/scheduled-searches/templated-searches) . Console CLI (PAT) API **How to create a Saved Search in the Panther Console** You can save a search in Panther's Data Explorer or Search. Searches saved in both tools are considered Saved Searches. Follow [these instructions for how to save a search in Data Explorer](https://docs.panther.com/search/data-explorer#create-a-saved-or-scheduled-search-in-data-explorer) , and [these instructions for how to save a search in Search](https://docs.panther.com/search/search-tool#creating-a-saved-search) . **How to create a Saved Search in the CLI workflow** Writing a Saved Search locally means creating a file that defines a SQL query on your own machine, then uploading it to your Panther instance (typically via the [Panther Analysis Tool](https://docs.panther.com/resources/help/glossary#panther-analysis-tool-pat) ). We recommend managing your local detection files in a version control system like GitHub or GitLab. circle-info It's best practice to create a fork of Panther's [open-source analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis) , but you can also create your own repo from scratch. **File setup** Each Saved Search consists of: * A YAML file (`.yml` or `.json` extension) containing [metadata attributes of the Saved Search](https://docs.panther.com/search/scheduled-searches#saved-search-specification-reference) . **Folder setup** If you group your queries into folders, each folder name must contain `queries` in order for them to be found during upload (using either PAT or the bulk uploader in the Console). We recommend grouping searches into folders based on log/resource type. You can use the open source [Panther Analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) repo as a reference. **Write the Saved Search** In your Saved Search file (called, for example, `new-saved-search.yml`), write your Saved Search, following the template below. See the full list of available fields in the [Saved Search specification reference](https://docs.panther.com/search/scheduled-searches#saved-search-specification-reference) . Copy AnalysisType: saved_query QueryName: MySavedQuery Description: Example of a saved query for PAT Query: |- Your query goes here Tags: - Your tags **Upload the content with PAT** * Use the PAT upload command: `panther_analysis_tool upload --path --api-token --api-host https://api..runpanther.net/public/graphql` * Replace the values: * `` : The [API keyarrow-up-right](https://docs.panther.com/panther-developer-workflows/api#step-1-creating-an-api-token) you generated. * `` : The fairytale name of your instance (e.g. **carrot-tuna**.runpanther.net). * `` : The path to your Saved Search on your own machine. When your Saved Search is uploaded, each of the fields you would normally populate in the Panther Console will be auto-filled. See [Saved Search Specification Reference](https://docs.panther.com/search/scheduled-searches#saved-search-specification-reference) for a complete list of required and optional fields. **How to create a Saved Search in the Panther API** * See the `POST` operation on [Queries](https://docs.panther.com/panther-developer-workflows/api/rest/queries) . [hashtag](https://docs.panther.com/search/scheduled-searches#how-to-create-a-scheduled-search) How to create a Scheduled Search ------------------------------------------------------------------------------------------------------------------------------------ A Scheduled Search is a Saved Search that has been configured to run on a schedule. Using the Panther Console, currently only Saved Searches created in Data Explorer can be scheduled—Saved Searches created in Search (including those created in both SQL and [PantherFlow](https://docs.panther.com/pantherflow) ) _cannot_ be scheduled. You can alternatively create and upload Scheduled Searches using the CLI workflow or the Panther API. circle-info It's strongly recommended to use `p_occurs_since` in your Scheduled Search—[learn more below](https://docs.panther.com/search/scheduled-searches#using-p_occurs_since-to-define-a-lookback-window) . Note that creating a Scheduled Search alone won't run the returned data against detections or generate [signals](https://docs.panther.com/detections/signals) . To do this, you must also [create a Scheduled Rule](https://docs.panther.com/detections/rules#how-to-write-rules-and-scheduled-rules) , and associate it with your Scheduled Search. circle-exclamation [Customer-configured Snowflake](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#customer-configured-snowflake) accounts: Your company will incur costs on your database backend every time a Scheduled Search runs. Please make sure that your searches can complete inside the specified timeout period. This does not apply to accounts that use Panther-managed Snowflake. Data Explorer CLI (PAT) API **How to create a Scheduled Search in Data Explorer** To learn how to schedule your Saved Search created in Data Explorer, follow one of the below sets of instructions: * If you haven't yet created a Saved Search in Data Explorer, follow the [Create a Saved or Scheduled Search in Data Explorer](https://docs.panther.com/search/data-explorer#create-a-saved-or-scheduled-search-in-data-explorer) instructions, paying attention to **Create a scheduled search** in Step 4. * If you've already saved the search in Data Explorer, follow the [Update a Saved or Scheduled Search in Data Explorer](https://docs.panther.com/search/data-explorer#update-a-saved-or-scheduled-search-in-data-explorer) instructions, paying attention to Step 6. **How to create a Scheduled Search in the CLI workflow** Writing a Scheduled Search locally means creating a file that defines a SQL query on your own machine, then uploading it to your Panther instance (typically via the [Panther Analysis Tool](https://docs.panther.com/resources/help/glossary#panther-analysis-tool-pat) ). We recommend managing your local detection files in a version control system like GitHub or GitLab. circle-info It's best practice to create a fork of Panther's [open-source analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis) , but you can also create your own repo from scratch. **File setup** Each scheduled query consists of: * A YAML file (`.yml` or `.json` extension) containing [metadata attributes of the Scheduled Search](https://docs.panther.com/search/scheduled-searches#scheduled-search-specification-reference) . View an [example Scheduled Search YAML file herearrow-up-right](https://github.com/panther-labs/panther-analysis/blob/master/templates/example_scheduled_query.yml) . **Folder setup** If you group your searches into folders, each folder name must contain `queries` in order for them to be found during upload (using either PAT or the bulk uploader in the Console). We recommend grouping searches into folders based on log/resource type. You can use the open source [Panther Analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) repo as a reference. **Write the Scheduled Query** In your Scheduled Search file (called, for example, `new-scheduled-search.yml`), write your Scheduled Search, following the template below. See the full list of available fields in the [Scheduled Search specification reference](https://docs.panther.com/search/scheduled-searches#scheduled-search-specification-reference) . **Upload the content with PAT** * Use the PAT upload command: `panther_analysis_tool upload --path --api-token --api-host https://api..runpanther.net/public/graphql` * Replace the values: * `` : The [API keyarrow-up-right](https://docs.panther.com/panther-developer-workflows/api#step-1-creating-an-api-token) you generated. * `` : The fairytale name of your instance (e.g. **carrot-tuna**.runpanther.net). * `` : The path to your Saved Query on your own machine. When your Scheduled Search is uploaded, each of the fields you would normally populate in the Panther Console will be auto-filled. See [Scheduled Search Specification Reference](https://docs.panther.com/search/scheduled-searches#scheduled-search-specification-reference) for a complete list of required and optional fields. **How to create a Scheduled Search in the Panther API** * See the `POST` operation on [Queries](https://docs.panther.com/panther-developer-workflows/api/rest/queries) . ### [hashtag](https://docs.panther.com/search/scheduled-searches#using-p_occurs_since-to-define-a-lookback-window) Using `p_occurs_since` to define a lookback window To define a lookback window in your Scheduled Search, it's strongly recommended to use the Panther SQL macro [`p_occurs_since`](https://docs.panther.com/search/data-explorer#time-offset-from-present-p_occurs_since) . When a Scheduled Search runs, the "now" time in `p_occurs_since` is replaced with the scheduled time (rather than the actual current time). This makes the lookback window precise. With each run, the Search steps forward in time according to its schedule. Using `p_occurs_since` protects against disruption due to Snowflake or cloud provider outages. If the Scheduled Search cannot be run due to an outage, the scheduled time is not advanced. Once the outage is recovered and queries can again be run, the Scheduled Search steps forward in time until it is caught up to the current schedule and no longer behind. ### [hashtag](https://docs.panther.com/search/scheduled-searches#how-to-use-the-scheduled-search-crontab) How to use the Scheduled Search crontab Panther's Scheduled Search crontab uses the standard crontab notation consisting of five fields: minutes, hours, day of month, month, day of week. Additionally, you will find a search timeout selector (with a maximum value currently set at 10 minutes). The expression will run on UTC. The interpreter uses a subset of the standard crontab notation: If you want to specify day by day, you can separate days with dashes (`1-5` is Monday through Friday) or commas, for example `0,1,4` in the `Day of Week` field will execute the command only on Sundays, Mondays and Thursdays. Currently, we do not support using named days of the week or month names. Using the crontab allows you to be more specific in your schedule than the Period frequency option: ![The Cron expression screen displays options for selecting a time range for the scheduled query to run.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-47ff299d7907508c7bc93af03d552fc49bac8be2%252Fscheduled-query-crontab.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=2498a491&sv=2) ### [hashtag](https://docs.panther.com/search/scheduled-searches#how-to-configure-a-scheduled-search-to-generate-an-email-report) How to configure a Scheduled Search to generate an email report circle-info Email reporting is in open beta starting with Panther version 1.115, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. You can configure a Scheduled Search to send an email report each time it runs. The email report contains a download link for the results (if there are more than zero), a link to the search in Data Explorer, and optionally a CSV attachment containing the search results. If the Scheduled Search is associated to any Scheduled Rules, those Scheduled Rules will process returned data as usual. circle-info Email reports are sent from `[[email protected]](https://docs.panther.com/cdn-cgi/l/email-protection) `. It's recommended to add this address to your personal or organizational allowlist to avoid the emails being labeled as spam. ![Under the Panther logo, a title reads, "1 events found by your scheduled search." Below that is a "Download search results as CSV" button.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-1ce29e26b6f04ba01191a75c5bbd046690aa7868%252FScreenshot%25202025-09-16%2520at%25209.05.16%25E2%2580%25AFPM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=131090e7&sv=2) The following parameters for email reports apply: * Each email report can be sent to a maximum of 10 recipients. * The maximum size of the CSV attachment is 10 MB. If your query results are large enough that the CSV exceeds this size, the CSV will not be attached to the email. * You can send up to 20 email reports per day, across all Scheduled Searches in your Panther instance. * The number of email reports sent per day depends on how often your Scheduled Searches run. * For example, if you have one Scheduled Search that sends 15 email reports per day, and another that sends five email reports per day, you will be unable to configure an additional Scheduled Search to generate email reports unless you reduce the frequency of the existing configurations. Only Scheduled Searches can be configured for email reporting—because searches made in [Search](https://docs.panther.com/search/search-tool) with [PantherFlow](https://docs.panther.com/pantherflow) or [filter expressions](https://docs.panther.com/search/search-tool#creating-filter-expressions) can be [saved but not scheduled](https://docs.panther.com/search/search-tool#creating-a-saved-search) , they cannot be configured to generate email reports. Console CLI (PAT) API **How to configure a Scheduled Search to generate an email report in the Panther Console** 1. Follow the [Create a Saved or Scheduled Search in Data Explorer](https://docs.panther.com/search/data-explorer#create-a-saved-or-scheduled-search-in-data-explorer) instructions, ensuring the **Email scheduled search results** toggle is set to **ON**. * If you'd like to configure an existing Scheduled Search, access its **Update Search** modal by following the [Update a Saved Search's metadata](https://docs.panther.com/search/scheduled-searches#update-a-saved-searchs-metadata) instructions, and set the **Email scheduled search results** toggle to **ON**. ![In a "Save Search" modal, various fields, such as "Tags" and "Description" are visible. An "Email scheduled search results" toggle is circled.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-09a518db1469ee223503f33f013113cfa3bbf742%252Fsched_search.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5033662a&sv=2) 2. Configure the email report settings: * **Recipients**: Select or enter up to 10 recipients. The values in the dropdown list are the users in your Panther Console, but you can also type in additional email addresses. * **Attach CSV data to the email**: Toggle **ON** if you'd like the email report to contain a CSV attachment containing the query results (up to 10MB). * **Send an email even if search returns 0 results**: Toggle **ON** if you'd like the email report to be sent even if the Scheduled Search generates zero results. ![Three toggles are shown: Email scheduled search results, Attach CSV data to the email, and Send an email even if search returns 0 results.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-dd25da61caf964be1ed45115e4e7b9557164349b%252FScreenshot%25202025-09-10%2520at%25202.54.31%25E2%2580%25AFPM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=2cc4d8dd&sv=2) **How to configure a Scheduled Search to generate an email report in the CLI workflow** You can configure a Scheduled Search for email reporting adding an `EmailConfig` object at the root level in the YAML file, along with the `Recipients`, `SendEmpty`, and `PreferAttachment` nested fields. Learn more about these fields below, in the [Scheduled Search specification reference](https://docs.panther.com/search/scheduled-searches#scheduled-search-specification-reference) . **How to configure a Scheduled Search to generate an email report in the Panther API** * See the `POST` operation on [Queries](https://docs.panther.com/panther-developer-workflows/api/rest/queries) . [hashtag](https://docs.panther.com/search/scheduled-searches#using-saved-and-scheduled-searches) Using Saved and Scheduled Searches ---------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/search/scheduled-searches#how-to-delete-or-download-a-saved-search) How to delete or download a Saved Search You can delete Saved Searches individually or in bulk. Note that if a Saved Search is scheduled (i.e., it's a Scheduled Search), it must be unlinked from any Scheduled Rules it's associated to in order to be deleted. 1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Saved Searches**. 2. In the list of Saved Searches, find the search or searches you'd like to download or delete. Check the box to the left of the name of each search. 3. At the top of the page, click either **Download** or **Delete**. ![The top of the Saved Queries page is shown, with two buttons: "Download" and "Delete"](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-d575f18561cfc2324d109d6e566113102a80c3d6%252FScreenshot%25202023-03-27%2520at%25202.44.37%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=e99f75c9&sv=2) * If you clicked **Download**, a `saved_queries.zip` file will be downloaded. * If you clicked **Delete**, an **Attention!** modal will pop up. Click **Confirm**. ![A modal titled "Attention!" is shown, with the text, "Are you sure you want to delete these (2) selected Saved Queries" and there are "Cancel" and "Confirm" buttons](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-4b46528c42e90ef03486dbf5730678500ca4d68a%252FScreenshot%25202023-10-02%2520at%252010.10.05%2520AM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=70a0a5f2&sv=2) ### [hashtag](https://docs.panther.com/search/scheduled-searches#how-to-deactivate-a-scheduled-search) How to deactivate a Scheduled Search 1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Saved Searches**. 2. Find the Scheduled Search you'd like to deactivate, and in the upper right corner of its tile, click the three dots icon. ![The image shows a query from the list of queries in the Panther Console. In the right side, there is a red arrow pointing to the 3 dots icon.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-65ce9f39260fd7bd2460c18f1a54f257a3852455%252Fquery-options.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=edc8beac&sv=2) 3. In the dropdown menu, click **Edit Search Metadata**. 4. In the **Update Search** form, toggle the setting **Is it active?** to **OFF** to disable the query. ![The "Update Search" form is displayed. It contains fields for Search Name, Tags, Description, and Default Database. The toggle next to "Is it active?" is set to "Off."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-91f7ba5c3413baf5bd67bee782fe71f935573e5d%252FScreenshot%25202023-10-02%2520at%252010.12.13%2520AM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=2570399f&sv=2) 5. Click **Update Query** to save your changes. ### [hashtag](https://docs.panther.com/search/scheduled-searches#update-a-saved-searchs-metadata) Update a Saved Search's metadata To edit a Saved Search's name, tags, description, and default database (and, for Scheduled Searches, whether it's active, its frequency, and its [email report settings](https://docs.panther.com/search/scheduled-searches#how-to-configure-a-scheduled-search-to-generate-an-email-report) ): 1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Saved Searches**. 2. Locate the query you'd like to edit, and click the three dots icon in the upper right corner of its tile. ![The 3 dots icon is expanded to a dropdown menu. The option "Edit Search Metadata" is highlighted.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-217a7d93b9ddc70c74bf150a4063b62aab0eb309%252FScreenshot%25202023-10-02%2520at%252010.14.23%2520AM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=23eef92c&sv=2) 3. In the dropdown menu, click **Edit Search Metadata**. 4. Make changes in the **Update Search** form as needed. 5. Click **Update Search**. ### [hashtag](https://docs.panther.com/search/scheduled-searches#search-for-saved-searches) Search for Saved Searches On the Saved Searches page, you can search for queries using: * The search bar at the top of the queries list * The date range selector in the upper right corner * The **Filters** option in the upper right corner * Filter by whether the query is scheduled, whether its active, its type (**Native SQL**, **Search**, or **PantherFlow Search**), or by up to 100 tags. ![in the Saved Searches list, use the date range or filters in the upper right corner to search for queries. In the image, the date range selector is circled and the Filters button is circled.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-342a3fdcf080f3183eb37ea7766ce53b32331d18%252FScreenshot%25202023-10-02%2520at%252010.18.50%2520AM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=4f78acb3&sv=2) Click on the name of the Saved Search to be taken directly to Data Explorer (for **Native SQL** queries) or Search (for **Search** and **PantherFlow Search** searches) with the query populated. ### [hashtag](https://docs.panther.com/search/scheduled-searches#use-limits-in-scheduled-searches) Use `LIMIT`s in Scheduled Searches In the Panther Data Lake settings page, you can optionally enable a setting that will check if a Scheduled Search has a `LIMIT` clause specified. Use this option if you're concerned about a Scheduled Search unintentionally returning thousands of results, potentially resulting in alert delays, Denial of Service (DoS) for downstream systems and general cleanup overhead from poorly tuned queries. circle-info Scheduled Searches that result in a timeout will generate a [`System Error`](https://docs.panther.com/system-configuration/notifications/system-errors) to identify that the Scheduled Search was unsuccessful. 1. In the upper right corner of the Panther Console, click the gear icon. In the dropdown menu that appears, click **General**. ![The gear icon's dropdown menu is expanded, showing options for General, Users, User Roles, API Tokens, and API Playground.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-121bf556d2dff1ab321d37338c87c8b3ca75544c%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=c3252df&sv=2) 2. Click the **Data Lake** tab. 3. Scroll down to the **Scheduled Queries** header. Below the header, you will see the LIMIT clause toggle setting: ![At the top, a tab labeled Data Lake is selected. Near the bottom of the screen, there is a header called "Scheduled Queries." The option "LIMIT Clause for Scheduled Queries" is set to "Off."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-7154406b308fdb2c72bdaa1f4f64b362e5dba3b5%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=de20e4ba&sv=2) 4. Toggle the `**LIMIT**` **Clause for Scheduled Queries** setting to **ON** to start enforcing LIMITs in Scheduled Queries. ![The toggle next to "LIMIT Clause for Scheduled Queries" is set to "On."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-1b312a812cd23351da22239f65fe8b032fd0e368%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=bb713e9d&sv=2) When this field is set to **ON**, any new Scheduled Searches marked as active cannot be saved unless a LIMIT clause is specified in the query definition. ![](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-72726a7347bb7e2fe80ed5278a0ffd8fc8a8864f%252Fimage.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=e74544ac&sv=2) The image shows the query creation screen. There is a red banner at the top that says "Unable to create Saved query. This scheduled query does not contain a LIMIT clause in the SQL expression. Update the SQL expression to add a LIMIT clause to save this scheduled query." Existing Scheduled Searches without a LIMIT clause will appear with a warning message in the list of Saved Searches, and edits cannot be saved unless a LIMIT clause is included. ![A Scheduled Query without a LIMIT clause shows a warning banner that says "This Scheduled Query does not contain a LIMIT clause in the SQL expression."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-3e7e7d0e9f4a1f95319b0aaa2e66f1bb856cb9f3%252Fimage.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=48e0e22&sv=2) The setting only checks for the existence of a LIMIT clause anywhere in the Saved Search. It does not check specifically for outer LIMIT clauses. ### [hashtag](https://docs.panther.com/search/scheduled-searches#exporting-scheduled-searches-from-your-panther-console) Exporting Scheduled Searches from your Panther Console You can export a .zip file of all of the detections and Scheduled Searches in your Panther Console: 1. In the left-hand navigation bar of your Panther Console, click **Detections**. 2. In the upper-right corner, click **Upload**. 3. In the **Bulk Uploader** modal, click **Download all entities**. [hashtag](https://docs.panther.com/search/scheduled-searches#saved-search-specification-reference) Saved Search specification reference -------------------------------------------------------------------------------------------------------------------------------------------- Required fields are in **bold**. A complete list of Saved Search specification fields: Field Name Description Expected Value `**AnalysisType**` Indicates whether this analysis is a Rule, Policy, Scheduled Search, Saved Search, or global. `saved_query` `**QueryName**` A friendly name to show in the UI. String `Tags` Tags used to categorize this rule. List of strings `Description` A brief description of the rule. String `**Query**` A data query. Must be written in SQL (i.e., cannot be [PantherFlow](https://docs.panther.com/pantherflow) ). String [hashtag](https://docs.panther.com/search/scheduled-searches#scheduled-search-specification-reference) Scheduled Search specification reference ---------------------------------------------------------------------------------------------------------------------------------------------------- Required fields are in **bold**. A complete list of Scheduled Search specification fields: Field Name Description Expected Value `**AnalysisType**` Indicates whether this analysis is a Rule, Policy, Scheduled Search, Saved Search, or global. `scheduled_query` `**QueryName**` A friendly name to show in the UI. String `**Enabled**` Whether this rule is enabled. Boolean `Tags` Tags used to categorize this rule. List of strings `Description` A brief description of the rule. String `**Query**` A data query. String `**Schedule**` The schedule that this query should run. Expressed with a CronExpression or in Rate Minutes. TimeoutMinutes is required to release the query if it takes longer than expected. Note that cron and rate minutes are mutually exclusive. Map `EmailConfig` If provided, [generating email reports](https://docs.panther.com/search/scheduled-searches#how-to-configure-a-scheduled-search-to-generate-an-email-report) for your Scheduled Search. Supports three nested fields: * (Required) `Recipients`: An array of strings, each containing an email address to send the email report to. There is a maximum of 10 recipients. * (Optional) `PreferAttachment`: A boolean field that defaults to `false`. If set to `true`, the email report will contain a CSV attachment of the Scheduled Search results (if the results fit within the 10 MB attachment size limit). * (Optional) `SendEmpty`: A boolean field that defaults to `false`. If set to `true`, the email report will be sent even if the Scheduled Search generates zero results. Map [PreviousStandard Fieldschevron-left](https://docs.panther.com/search/panther-fields) [NextTemplated Searcheschevron-right](https://docs.panther.com/search/scheduled-searches/templated-searches) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/search/scheduled-searches#overview) * [How to create a Saved Search](https://docs.panther.com/search/scheduled-searches#how-to-create-a-saved-search) * [How to create a Scheduled Search](https://docs.panther.com/search/scheduled-searches#how-to-create-a-scheduled-search) * [Using p\_occurs\_since to define a lookback window](https://docs.panther.com/search/scheduled-searches#using-p_occurs_since-to-define-a-lookback-window) * [How to use the Scheduled Search crontab](https://docs.panther.com/search/scheduled-searches#how-to-use-the-scheduled-search-crontab) * [How to configure a Scheduled Search to generate an email report](https://docs.panther.com/search/scheduled-searches#how-to-configure-a-scheduled-search-to-generate-an-email-report) * [Using Saved and Scheduled Searches](https://docs.panther.com/search/scheduled-searches#using-saved-and-scheduled-searches) * [How to delete or download a Saved Search](https://docs.panther.com/search/scheduled-searches#how-to-delete-or-download-a-saved-search) * [How to deactivate a Scheduled Search](https://docs.panther.com/search/scheduled-searches#how-to-deactivate-a-scheduled-search) * [Update a Saved Search's metadata](https://docs.panther.com/search/scheduled-searches#update-a-saved-searchs-metadata) * [Search for Saved Searches](https://docs.panther.com/search/scheduled-searches#search-for-saved-searches) * [Use LIMITs in Scheduled Searches](https://docs.panther.com/search/scheduled-searches#use-limits-in-scheduled-searches) * [Exporting Scheduled Searches from your Panther Console](https://docs.panther.com/search/scheduled-searches#exporting-scheduled-searches-from-your-panther-console) * [Saved Search specification reference](https://docs.panther.com/search/scheduled-searches#saved-search-specification-reference) * [Scheduled Search specification reference](https://docs.panther.com/search/scheduled-searches#scheduled-search-specification-reference) Was this helpful? sun-brightdesktopmoon Copy AnalysisType: scheduled_query QueryName: ScheduledQuery_Example Description: Example of a scheduled query for PAT Enabled: true Query: |- Select 1 Tags: - Your tags Schedule: CronExpression: "0 0 29 2 *" RateMinutes: 0 TimeoutMinutes: 2 Copy ┌───────── minute (0 - 59) │ ┌──────── hour (0 - 23) │ │ ┌────── day of month (1 - 31) │ │ │ ┌──── month (1 - 12) │ │ │ │ ┌── day of week (0 - 6 => Sunday - Saturday) │ │ │ │ │ ↓ ↓ ↓ ↓ ↓ * * * * * Copy AnalysisType: scheduled_query QueryName: ScheduledQuery_Example Description: Example of an email report for PAT Enabled: true Schedule: RateMinutes: 900 TimeoutMinutes: 2 EmailConfig: Recipients: - [email protected] - [email protected] SendEmpty: true PreferAttachment: true Copy CronExpression: "0 0 29 2 *" RateMinutes: 0 TimeoutMinutes: 2 Copy EmailConfig: Recipients: - [email protected] - [email protected] PreferAttachment: true SendEmpty: false sun-brightdesktopmoon --- # CI/CD for Panther Content | Panther Docs Panther customers can automate their [detection pipeline](https://docs.panther.com/panther-developer-workflows/detections-repo) , work with custom logs via [pantherlog](https://docs.panther.com/panther-developer-workflows/pantherlog) , and improve security with a CI/CD workflow. Learn about other non-web application-based workflows in the [Panther Developer Workflows Overview](https://docs.panther.com/panther-developer-workflows/overview) . For information on web application-based workflows to manage your detections and custom logs directly in the Panther Console, see the [Writing and Editing Detections](https://docs.panther.com/detections/rules/python) and [Custom Logs](https://docs.panther.com/data-onboarding/custom-log-types) documentation pages. To learn how to migrate from Console workflows to CI/CD, see [Migrating to a CI/CD Workflow](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow) . Panther's CI/CD documentation walks through setting up a workflow such as the following: circle-info Currently, only Python Panther-managed detections are available for you to clone, modify, and upload. YAML Panther-managed detections are planned for a future release. 1. Forking or cloning the [panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) repo to leverage Panther-managed Python detections. * The Python detections in panther-analysis are broadly applicable, and can be customized to ensure that you are receiving only the alerts that are most important to your organization. * See [Using panther-analysis](https://docs.panther.com/panther-developer-workflows/detections-repo) for instructions. 2. Pulling updates from panther-analysis to take advantage of new Python detections and other content updates. * This process allows you to sync to the upstream panther-analysis repository in order to receive new Python detections and other detection content updates. * See [Public Fork](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork) or [Private Clone](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo) for instructions, depending on your organization's chosen method. 3. Adapting the detections to fit within your CI/CD workflow and uploading them to your Panther Console. * See [Deployment workflows using Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows) for instructions on using PAT and managing Panther content via CircleCI or GitHub Actions. * If you choose to manually upload your content to the Panther Console, see [Uploading content in the Panther Console](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#uploading-content-in-the-panther-console) . [PreviousPublic Forkchevron-left](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork) [NextDeployment Workflows Using Panther Analysis Toolchevron-right](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows) Last updated 11 days ago Was this helpful? Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Panther Analysis Tool | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#overview) Overview ---------------------------------------------------------------------------------------------------------- Panther Analysis Tool (PAT) is a CLI tool you can use to test, package and upload locally managed detection content (among other actions—view them all on [PAT Commands](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands) ). It's designed for developer-centric Panther workflows, such as managing your detection content programmatically, and [integrating with CI/CD pipelines](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) . PAT is open-source—see its [GitHub repository herearrow-up-right](https://github.com/panther-labs/panther_analysis_tool) . If you'd instead prefer to manage detection content in the Panther Console using web application-based workflows, see [Detections](https://docs.panther.com/detections) . [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther) Getting started with PAT -------------------------------------------------------------------------------------------------------------------------------------- Before you can use PAT to test, package, and upload your detection content, you'll need to install it, set configuration values, and generate an API token for authentication. Learn how to complete each of these steps on [Install, Configure, and Authenticate with PAT](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/install-configure-and-authenticate-with-pat) . [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther-1) Managing detections with PAT -------------------------------------------------------------------------------------------------------------------------------------------- After you've completed PAT setup, you can start using it to manage your detection content with commands like [test](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#test-running-tests-with-pat) , [validate](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#validate-ensuring-detection-content-is-ready-to-be-uploaded) , [zip](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#zip-creating-a-package-to-upload-to-the-panther-console) , and [upload](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands#upload-uploading-packages-to-panther-directly) . Explore all you can do with PAT on [Panther Analysis Tool Commands](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/pat-commands) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther-2) Writing custom detection content locally Before you use PAT to upload your custom detection content to your Panther instance, you can need to create it locally. Writing detection content locally means creating files that define it on your own machine. Learn how to write different types of detection content locally on the following pages: * Detections * [Writing Python rules and scheduled rules locally](https://docs.panther.com/detections/rules#how-to-write-rules-and-scheduled-rules) * [Writing Simple Detections (rules) locally](https://docs.panther.com/detections/rules/writing-simple-detections#how-to-create-a-simple-detection-rule-in-yaml) * [Creating Derived Detections (rules)](https://docs.panther.com/detections/rules/derived#how-to-create-a-derived-detection) * [Writing correlation rules locally](https://docs.panther.com/detections/correlation-rules#creating-a-correlation-rule-in-yaml-in-the-cli-workflow) * [Writing policies locally](https://docs.panther.com/detections/policies#how-to-write-a-policy) * Other detection content * [Writing Saved Searches locally](https://docs.panther.com/search/scheduled-searches#how-to-create-a-saved-search) * [Writing Scheduled Searches locally](https://docs.panther.com/search/scheduled-searches#how-to-create-a-scheduled-search) * [Using Lookup Tables locally](https://docs.panther.com/enrichment/custom#how-to-configure-a-lookup-table) * [Creating Data Models locally](https://docs.panther.com/detections/rules/python/data-models#how-to-create-a-data-model-in-the-cli-workflow) * [Creating global helpers locally](https://docs.panther.com/detections/rules/python/globals#adding-custom-globals) ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#customizing-panther-managed-detections) Customizing Panther-managed detections You can also use PAT to manage [Panther-managed](https://docs.panther.com/detections/panther-managed) detections you've customized. To manage custom detections, you can privately clone or publicly fork the public [panther-analysis GitHub repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis) . Then, upon [tagged releasesarrow-up-right](https://github.com/panther-labs/panther-analysis/releases) , you can pull upstream changes. Learn how to fork or clone the panther-analysis repository on [Using the Panther detections repo](https://docs.panther.com/panther-developer-workflows/detections-repo) . #### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#getting-updates-of-panther-managed-detections) Getting updates of Panther-managed detections When you want to update your detections with the latest versions from Panther Analysis, run `pat update`. This will automatically merge the latest version of a detection with your local copy. Any detections with merge conflicts will be printed out and can be resolved with `pat merge `. * You can run with the `--auto-accept` option to pick your changes or Panther's changes automatically for each merge conflict. * You can run with the `--write-merge-conflicts` to solve all conflicts all at once instead of one at a time. * To get updates, the detection must have a `BaseVersion` field set. If it does not have one yet, use `pat migrate ` to add it. If you would like to get new content Panther Analysis has released, you can use `pat install`. You can view what the new content looks like before cloning it with `pat explore`. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#troubleshooting-the-panther-analysis-tool) Troubleshooting the Panther Analysis Tool ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Visit the Panther Knowledge Base to [view articles about the Panther Analysis Toolarrow-up-right](https://help.panther.com/Panther_Developer_Workflows/Panther_Analysis_Tool_(PAT)) that answer frequently asked questions and help you resolve common errors and issues. [PreviousUsing panther-analysischevron-left](https://docs.panther.com/panther-developer-workflows/detections-repo) [NextInstall, Configure, and Authenticate with the Panther Analysis Toolchevron-right](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/install-configure-and-authenticate-with-pat) Last updated 6 days ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#overview) * [Getting started with PAT](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther) * [Managing detections with PAT](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther-1) * [Writing custom detection content locally](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther-2) * [Customizing Panther-managed detections](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#customizing-panther-managed-detections) * [Troubleshooting the Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#troubleshooting-the-panther-analysis-tool) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Managing Panther Content via CircleCI | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#overview) Overview ------------------------------------------------------------------------------------------------------------------------------------------- You can configure CircleCI to automate testing and upload your detection pipeline from your source repository to your Panther Console. This guide explains how to: * Configure your repository to support CircleCI. * Configure CircleCI to automatically upload detection content you commit to your repository to your Panther instance. See [CI/CD for Panther Content](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) for information on starting your CI/CD workflow with Panther. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#setting-up-circleci) Setting up CircleCI ----------------------------------------------------------------------------------------------------------------------------------------------------------------- To use CircleCI to upload detection content to your Panther instance, you'll create a CircleCI job on your repository, then configure environment variables for Panther API credentials. ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#prerequisites) Prerequisites * Generate an API token from your Panther Console. * See [these instructions on generating an API token](https://docs.panther.com/panther-developer-workflows/api#how-to-create-a-panther-api-token) . * If you do not already have a CircleCI account, [create a free onearrow-up-right](https://circleci.com/signup) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#step-1-set-up-your-detections-repository) Step 1: Set up your detections repository * If you do not already have a repository set up for your Panther detection content, create one. It is recommended to either [privately clone](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo) or [publicly fork](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork) Panther's [panther-analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#step-2-add-a-circleci-job-to-your-repository) Step 2: Add a CircleCI job to your repository In order for CircleCI to test and upload the detection content you commit to the `main` branch of your `panther-analysis` repository, you need to create a CircleCI job. 1. On the command line, navigate to the root of your private local repository: `cd path/to/your/repository` 2. Create a new directory for the CircleCI configuration, as well as a new configuration file: `mkdir .circleci && touch .circleci/config.yml` 3. Open `config.yml` and paste the following: 4. Add, commit, and push the changes to your repository: `git add . && git commit -m 'adding initial circleci configuration' && git push` ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#step-3-add-panther-api-credentials-as-environment-variables) Step 3: Add Panther API credentials as environment variables Ensure that the environment variables `PANTHER_API_TOKEN` and `PANTHER_API_HOST` are set to allow for correct authentication. 1. Sign in to [CircleCIarrow-up-right](https://circleci.com/vcs-authorize/) and select the organization your project is in. 2. In the left-hand navigation menu, click **Projects**. 3. In your projects list, locate the `panther-analysis` repository. On the right side of the project, click **...** then **Project Settings**. ![In the CircleCI console, the Projects screen is shown. The three dots icon has been selected on the panther-analysis project.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-abb4d67aacc8bcedb4e45fa91db69f536c072abf%252Fcircleci-project-settings%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29.jpeg%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=190152b2&sv=2) 4. In the left-hand navigation menu, click **Environment Variables**. 5. Click **Add Environment Variable**, and add `INTERNAL_API_TOKEN` and `INTERNAL_API_HOST`. ![In the CircleCI console, the Project Settings screen is shown. There is a button to "Add Environment Variable"](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-8d99839757052e9a5cba86334ecf84617fdad8c8%252Fimage.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=c2f1926b&sv=2) * See the CircleCI documentation on [Using Environment Variablesarrow-up-right](https://circleci.com/docs/env-vars) for more information. Check out [Panther Analysis Tool Commandsarrow-up-right](https://docs.panther.com/panther-developer-workflows/ci-cd/deployment-workflows/pat/pat-commands) for more information on the Panther Analysis tool. [PreviousDeployment Workflows Using Panther Analysis Toolchevron-left](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows) [NextManaging Panther Content via GitHub Actionschevron-right](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#overview) * [Setting up CircleCI](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#setting-up-circleci) * [Prerequisites](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#prerequisites) * [Step 1: Set up your detections repository](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#step-1-set-up-your-detections-repository) * [Step 2: Add a CircleCI job to your repository](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#step-2-add-a-circleci-job-to-your-repository) * [Step 3: Add Panther API credentials as environment variables](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci#step-3-add-panther-api-credentials-as-environment-variables) Was this helpful? sun-brightdesktopmoon Copy version: 2.1 jobs: upload: docker: - image: 'cimg/python:3.11' steps: - checkout - run: name: Set up the virtual environment and install dependencies command: make venv - run: name: Run unit tests command: pipenv run panther_analysis_tool test - run: name: Upload detection content # (Optional) Add `--filter Enabled=true` to command below to only upload Enabled detections command: | PANTHER_API_HOST=$INTERNAL_API_HOST \ PANTHER_API_TOKEN=$INTERNAL_API_TOKEN \ pipenv run -- panther_analysis_tool upload workflows: panther: jobs: - upload: filters: branches: only: - main sun-brightdesktopmoon --- # PantherFlow Expressions | Panther Docs circle-info PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. [hashtag](https://docs.panther.com/pantherflow/expressions#references) References -------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/pantherflow/expressions#array-references) Array references Syntax Description Example `array[X]` Retrieve value at X `foo[1]` ### [hashtag](https://docs.panther.com/pantherflow/expressions#object-references) Object references Syntax Description Example `object['X']` Retrieve value at X `foo['bar']` `object.X` Retrieve value at X `foo.bar` [hashtag](https://docs.panther.com/pantherflow/expressions#comparisons) Comparisons ---------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/pantherflow/expressions#equality-comparisons) Equality comparisons Operator Description Example `==` Equality `A == B` `!=` Inequality `A != B` ### [hashtag](https://docs.panther.com/pantherflow/expressions#boolean-comparisons) Boolean comparisons Operator Description Example `and` Logical and `A and B` `or` Logical or `A or B` `not` Logical not `not A` ### [hashtag](https://docs.panther.com/pantherflow/expressions#numerical-comparisons) Numerical comparisons Syntax Description Example `<` Less than `A < B` `<=` Less than or equal to `A <= B` `>` Greater than `A > B` `>=` Greater than or equal to `A >= B` `+` Add `A + B` `-` Subtract `A - B` `*` Multiply `A * B` `/` Divide `A / B` `%` Modulo `A % B` ### [hashtag](https://docs.panther.com/pantherflow/expressions#array-comparisons) Array comparisons Syntax Description Example `in` Value is in array `X in [X, Y, Z]`, `'10.10.10.100' in p_any_ip_addresses` `not in` Value is not in array `X not in [A, B, C]` ### [hashtag](https://docs.panther.com/pantherflow/expressions#between-comparisons) Between comparisons Operator Description Example `between` Value is between two values (inclusive), which are separated by `..` ` between .. ` `not between` Value is not between two values (exclusive), which are separated by `..` ` not between .. ` [hashtag](https://docs.panther.com/pantherflow/expressions#functions) Functions ------------------------------------------------------------------------------------ ### [hashtag](https://docs.panther.com/pantherflow/expressions#anonymous-functions) Anonymous functions An anonymous function, or "lambda function," is an unnamed function that can be used as an argument to the `arrays.map()` and `arrays.filter()` functions. Anonymous functions have zero or more parameters and a body that is an expression: #### [hashtag](https://docs.panther.com/pantherflow/expressions#example-add-one-to-a-number-in-arrays.map) Example: **Add one to a number in** `**arrays.map()**` In the example below, the anonymous function is applied to each of the elements in the array provided as the first argument to `arrays.map()`: After `arrays.map()` applies the function on each element, the array becomes: #### [hashtag](https://docs.panther.com/pantherflow/expressions#example-compare-to-null-in-arrays.filter) **Example: Compare to null in** `**arrays.filter()**` In the example below, `arrays.filter()` uses the anonymous function as the filter condition: After `arrays.filter()` filters the list using the anonymous function, it becomes: #### [hashtag](https://docs.panther.com/pantherflow/expressions#example-nest-multiple-anonymous-functions) **Example: Nest multiple anonymous functions** It's possible to nest anonymous functions, or use an anonymous function in the body of another anonymous function. This can be useful for extracting arrays within arrays: results `[{"CatName":"Whiskers","ID":"AAAAA"},{"CatName":"Mittens","ID":"BBBBB"},{"CatName":"Mr. Meow","ID":"CCCCC"},{"CatName":"Mrs. Meow","ID":"DDDDD"}]` [PreviousPantherFlow Data Typeschevron-left](https://docs.panther.com/pantherflow/data-types) [NextPantherFlow Functionschevron-right](https://docs.panther.com/pantherflow/functions) Last updated 10 months ago Was this helpful? * [References](https://docs.panther.com/pantherflow/expressions#references) * [Array references](https://docs.panther.com/pantherflow/expressions#array-references) * [Object references](https://docs.panther.com/pantherflow/expressions#object-references) * [Comparisons](https://docs.panther.com/pantherflow/expressions#comparisons) * [Equality comparisons](https://docs.panther.com/pantherflow/expressions#equality-comparisons) * [Boolean comparisons](https://docs.panther.com/pantherflow/expressions#boolean-comparisons) * [Numerical comparisons](https://docs.panther.com/pantherflow/expressions#numerical-comparisons) * [Array comparisons](https://docs.panther.com/pantherflow/expressions#array-comparisons) * [Between comparisons](https://docs.panther.com/pantherflow/expressions#between-comparisons) * [Functions](https://docs.panther.com/pantherflow/expressions#functions) * [Anonymous functions](https://docs.panther.com/pantherflow/expressions#anonymous-functions) Was this helpful? sun-brightdesktopmoon Copy fn ([arg1] [, arg2...]]) { } Copy arrays.map([1, 2, 3], fn (r) { r + 1 }) Copy [2, 3, 4] Copy arrays.filter([null, 5, null, 6], fn (elem) { elem != null }) Copy [5, 6] Copy let source = datatable [{\ "results": [\ {\ "cats": [\ {\ "Name": "Whiskers",\ "Breed": "Siamese",\ "FurLength": "Short",\ "ID": "AAAAA"\ },\ {\ "Name": "Mittens",\ "Breed": "Maine Coon",\ "FurLength": "Long",\ "ID": "BBBBB"\ }\ ]\ },\ {\ "cats": [\ {\ "Name": "Mr. Meow",\ "Breed": "Orange Tabby",\ "FurLength": "Short",\ "ID": "CCCCC"\ },\ {\ "Name": "Mrs. Meow",\ "Breed": "Persian",\ "FurLength": "Long",\ "ID": "DDDDD"\ }\ ]\ }\ ]\ }]; source | project results=arrays.flatten( arrays.map(results, fn (result) { arrays.map(result.cats, fn (cat) { object("CatName", cat.Name, "ID", cat.ID) }) }) ) sun-brightdesktopmoon --- # Panther AI Workflow Examples | Panther Docs [hashtag](https://docs.panther.com/ai/examples#overview) Overview ---------------------------------------------------------------------- The videos on this page demonstrate common [Panther AI](https://docs.panther.com/ai) workflows. For the best viewing experience, it's recommended to click **Watch on Youtube** in the bottom-left corner of each video, or view them in full-screen mode. [hashtag](https://docs.panther.com/ai/examples#using-panther-ai-with-alerts) Using Panther AI with alerts -------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/ai/examples#running-ai-alert-triage) Running AI alert triage In the following example of [alert triage](https://docs.panther.com/alerts#panther-ai-alert-triage) , Panther AI: * Gathers context by reading the alert, associated detection (including its Python code), alerts generated by the detection over the last seven days, and all alerts over the last 24 hours * Analyzes data * May gather additional context by using other tools (such as the [`panther_ai_enrichments_lookup`](https://docs.panther.com/ai#enrichment-and-context) ) and executing data lake queries ### [hashtag](https://docs.panther.com/ai/examples#running-an-ai-suggested-follow-up-prompt-to-alert-triage) Running an AI-suggested follow-up prompt to alert triage * In this example, after [AI alert triage](https://docs.panther.com/alerts#panther-ai-alert-triage) is run, the user clicks on one of the options in the **Recommended Follow Up AI Prompts** section. ### [hashtag](https://docs.panther.com/ai/examples#aggregating-multiple-ai-responses-for-an-overall-report) Aggregating multiple AI responses for an overall report In the [Running an AI-suggested follow-up prompt to alert triage](https://docs.panther.com/ai/examples#running-an-ai-suggested-follow-up-prompt-to-alert-triage) example above, after the initial AI alert triage is generated, we click on a suggested follow-up prompt to explore adjacent concerns. The second response is related to the first as a "child" response. When you either click suggested follow-up prompts or type your own, the responses (the initial triage and follow-up responses) are aware of one another. This allows you to ask questions about the responses themselves, such as to combine them into a comprehensive report. For example, consider this initial AI alert triage: ![Under an "ALB Web Scanning" header is a Panther AI prompt box, followed by Summary and Key Findings sections.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-0d33864b9c3b9e32e332b51ca4f57075aa2c2c88%252Fwebbin_scan.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=d9369872&sv=2) After exploring suggested prompts and asking custom follow-up questions, the [response history list](https://docs.panther.com/ai/managing-ai-response-history#viewing-ai-response-history) looks like: ![Under an "AI Triage History" header, there is a sub-header labeled "Today." Under it is a table with six entries.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-66d90837a9a85f7cc39007349794f304f2f28a1d%252Ftriage_history.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=79820d47&sv=2) If we click the initial alert triage response (the parent response) and enter: > Summarize all the related AI responses into a short report. ![Under an "ALB Web Scanning" header is a Panther AI prompt bar and sections titled "Summary" and "Key Findings."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-019734534ad830404cc3ffc2736351e06fb8aa57%252Falb_web_scan.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=793deb86&sv=2) We'll see something like this **ALB Web Scanning Investigation Summary**: ![Under an "ALB Web Scanning Investigation Summary" header are various sub-headers, including "Overview," "Key Findings," and "Risk Assessment."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-562dbc8562629ab355ca2016471ab7c72a00c576%252Finvest_summary.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=f9beb4c7&sv=2) Opening the **Analysis** contained in the summary, Panther AI demonstrates it is reading all related responses: ![There is an "Analysis" header with a "Thinking steps" sub-header.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-9efedbacaee1dfce30ebf8257d9b3a5e2aaae76a%252Fimage.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=3f328dbb&sv=2) ### [hashtag](https://docs.panther.com/ai/examples#using-a-detection-runbook-to-direct-ai-alert-triage) Using a detection runbook to direct AI alert triage During [alert triage](https://docs.panther.com/alerts#panther-ai-alert-triage) , Panther AI is directed to read instructions from the [alert runbook](https://docs.panther.com/alerts/alert-runbooks) . You can leverage this to instruct Panther AI to perform specific tasks when triaging an alert. For example, as a `runbook` value, you might enter: * "Run the saved query called "Okta Historical Profile" for the user in the events as context." * "Search over all logs for activity from the `clientIP` over the last week as context." * "Always add a comment to the alert with a summary." circle-info [Learn more about how to write a Panther AI-friendly `runbook` here](https://docs.panther.com/alerts/alert-runbooks#tips-for-writing-an-effective-runbook) . In the below example, to demonstrate that Panther AI takes a detection's `runbook` into account during alert triage, we added the following to the `runbook`: > Before your analysis report, add a summary in the form of a limerick. We can see a limerick in the response: ![Under an "ALB Web Scanning Analysis" title are various sections with text under them, such as "Summary" and "Key Findings."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-0227f9538a50baa8c7c46f03f1200fbdc6b9e1b5%252Falb_analysis.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=e8983dd4&sv=2) ### [hashtag](https://docs.panther.com/ai/examples#generating-an-ai-summary-of-alerts-list) Generating an AI summary of alerts list * In the example below, Panther AI [summarizes the recent alerts](https://docs.panther.com/alerts#panther-ai-summary-of-alerts-list) on the alert list page. circle-exclamation This video shows an outdated Panther Console. There is no longer a prompt bar on the alert list page; it instead has a **Summarize with AI** button, which [you can click to generate a summary of alerts](https://docs.panther.com/alerts#panther-ai-alert-triage) . ### [hashtag](https://docs.panther.com/ai/examples#visualizing-an-attack-from-the-alerts-list) Visualizing an attack from the alerts list In the example below, the alerts related to a specific attack (generated via [adversary emulationarrow-up-right](https://github.com/panther-labs/stratus-red-team) ) were selected from the alerts list page, then [an AI summary was generated](https://docs.panther.com/alerts#panther-ai-summary-of-alerts-list) . In the prompt bar of the resulting AI summary, we entered, `Visualize the attack using a flow chart. Analyze all supporting data for these alerts.`: ![A prompt bar is shown above a block of text output containing Summary and Key Finding sections.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-4dc32cb088d1b5e8e4e9cd9e35f40ca4ae17fae7%252Fattack_chart.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=3ba87b04&sv=2) In response, Panther AI generates a diagram of the attack chain: ![A diagram of an attack chain in shown, with a number of boxes and arrows. Boxes contain text such as "Defense Evasion" and "Impact & Exfiltration."](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-b5df30a899fc45e76fc67f15c0475388725c9782%252Fattack_chain_chart.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=2004b4d3&sv=2) [hashtag](https://docs.panther.com/ai/examples#using-panther-ai-to-search-indicators) Using Panther AI to search indicators -------------------------------------------------------------------------------------------------------------------------------- It's common to receive Indicators of Compromise (IoCs) from threat intelligence reports, such as malicious IP addresses, and ask "Have I seen any of these values in my logs?" Threat hunting for IoCs is simple if your search returns no results; however, when IoCs are found, the process can be time consuming because the activity requires vetting. Instead of manually searching your data lake, you can ask Panther AI to summarize recent activity. [hashtag](https://docs.panther.com/ai/examples#using-panther-ai-with-search-and-detections) Using Panther AI with Search and detections -------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/ai/examples#search-results-ai-summarization) Search results AI summarization * In the example below, Panther AI performs [Search results summarization](https://docs.panther.com/search/search-tool#panther-ai-search-results-summary) for recent [AWS Application Load Balancer (ALB)](https://docs.panther.com/data-onboarding/supported-logs/aws/alb) events. ### [hashtag](https://docs.panther.com/ai/examples#detection-writing-from-search-results) Detection writing from Search results * After Panther AI performs [Search results summarization](https://docs.panther.com/search/search-tool#panther-ai-search-results-summary) for events representing potentially malicious activity, Panther AI creates a detection with unit tests. [hashtag](https://docs.panther.com/ai/examples#using-panther-ai-with-saved-searches) Using Panther AI with Saved Searches ------------------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.panther.com/ai/examples#writing-and-saving-sql-queries-for-reuse) Writing and saving SQL queries for reuse In the example below, Panther AI is prompted to write and name a SQL query (or [Saved Search](https://docs.panther.com/search/scheduled-searches) ) to be used in the future (by humans and Panther AI). The prompt is: > Please write a SQL query to calculate the top 10 IP addresses over a week of data in ALB logs. Save the query with the name "Top 10 IP Addresses in ALB." Add a note for Panther AI in the description to visualize the results when running the query. ### [hashtag](https://docs.panther.com/ai/examples#running-and-editing-saved-sql-queries) Running and editing saved SQL queries * In this example, Panther AI is asked to run a named [Saved Search](https://docs.panther.com/search/scheduled-searches) (but with modifications requiring SQL changes), enrich each IP address, and visualize the result. [PreviousManaging Panther AI Response Historychevron-left](https://docs.panther.com/ai/managing-ai-response-history) [NextRisk Scoring and Classification Frameworkchevron-right](https://docs.panther.com/ai/risk-scoring-and-classification-framework) Last updated 17 days ago Was this helpful? * [Overview](https://docs.panther.com/ai/examples#overview) * [Using Panther AI with alerts](https://docs.panther.com/ai/examples#using-panther-ai-with-alerts) * [Running AI alert triage](https://docs.panther.com/ai/examples#running-ai-alert-triage) * [Running an AI-suggested follow-up prompt to alert triage](https://docs.panther.com/ai/examples#running-an-ai-suggested-follow-up-prompt-to-alert-triage) * [Aggregating multiple AI responses for an overall report](https://docs.panther.com/ai/examples#aggregating-multiple-ai-responses-for-an-overall-report) * [Using a detection runbook to direct AI alert triage](https://docs.panther.com/ai/examples#using-a-detection-runbook-to-direct-ai-alert-triage) * [Generating an AI summary of alerts list](https://docs.panther.com/ai/examples#generating-an-ai-summary-of-alerts-list) * [Visualizing an attack from the alerts list](https://docs.panther.com/ai/examples#visualizing-an-attack-from-the-alerts-list) * [Using Panther AI to search indicators](https://docs.panther.com/ai/examples#using-panther-ai-to-search-indicators) * [Using Panther AI with Search and detections](https://docs.panther.com/ai/examples#using-panther-ai-with-search-and-detections) * [Search results AI summarization](https://docs.panther.com/ai/examples#search-results-ai-summarization) * [Detection writing from Search results](https://docs.panther.com/ai/examples#detection-writing-from-search-results) * [Using Panther AI with Saved Searches](https://docs.panther.com/ai/examples#using-panther-ai-with-saved-searches) * [Writing and saving SQL queries for reuse](https://docs.panther.com/ai/examples#writing-and-saving-sql-queries-for-reuse) * [Running and editing saved SQL queries](https://docs.panther.com/ai/examples#running-and-editing-saved-sql-queries) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # G Suite SSO | Panther Docs [hashtag](https://docs.panther.com/system-configuration/saml/gsuite#overview) Overview ------------------------------------------------------------------------------------------- Panther supports integrating with G Suite (now named Google Workspace) as a SAML provider to enable logging in to the Panther Console via SSO. For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](https://docs.panther.com/system-configuration/saml) . [hashtag](https://docs.panther.com/system-configuration/saml/gsuite#how-to-configure-saml-sso-to-the-panther-console-with-g-suite) How to configure SAML SSO to the Panther Console with G Suite ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/system-configuration/saml/gsuite#step-1-obtain-the-sso-parameters-from-panther) Step 1: Obtain the SSO parameters from Panther 1. Log in to the Panther Console. 2. In the upper-right corner, click the gear icon, and then click **General**. 3. Navigate to the **Identity & Access** tab. 4. Next to **Enable SAML (Security Assertion Markup Language)**, set the toggle to `ON`. 5. If using [IdP-initiated login](https://docs.panther.com/system-configuration/saml#idp-initiated-vs.-sp-initiated-login) , set the **Use IdP-Initiated Single Sign On (SSO)** toggle to `ON`. 6. Copy the the **Audience** and **ACS Consumer URL** values and store them in a secure location. You will need them in the following steps. * If using IdP-initiated login, also copy the **Relay State** value. circle-info It's recommended to use [SP-initiated login](https://docs.panther.com/system-configuration/saml#sp-initiated-login-recommended) , as it is generally considered more secure than IdP-initiated login. ![In the Settings section of the Panther Console, within the Identity & Access tab, various fields like "Enable SAML", "Audience" and "ACS Consumer URL" are shown](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-800628a71753e4ef33d50d9bbf9231f05441120b%252FScreenshot%25202025-10-10%2520at%25203.03.25%25E2%2580%25AFPM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=b01b9310&sv=2) ### [hashtag](https://docs.panther.com/system-configuration/saml/gsuite#step-2-create-the-g-suite-app) Step 2: Create the G Suite App Follow the [GSuite guide for SAML-based SSOarrow-up-right](https://support.google.com/a/answer/6087519) to add a custom SAML app. circle-info Note that it may take up to 24 hours for your changes to propagate in Google Workspace. Make the following modifications to create the SAML app for Panther: * In the **Service Provider Details** window, enter in the following: * **ACS URL**: Paste the **ACS Consumer URL** value you obtained in the Panther Console in Step 1. * **Entity ID**: Paste the **Audience** value you obtained in the Panther Console in Step 1. * **Start URL**: If using IdP-initiated login, paste the **Relay State** value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank. ![](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-acdda9a165d98739745c840d4360198b4b6002fe%252Fgsuite-saml.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=4d62ed0d&sv=2) * On the **Attribute mapping** page, configure the following attribute mappings: * **First Name**: `PantherFirstName` * **Last Name**: `PantherLastName` * **Primary email**: `PantherEmail` ![](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-de1a6bbe1f2d8a28c0d26dcf8317e320604efdbf%252Fgsuite5.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=ad54a84a&sv=2) ### [hashtag](https://docs.panther.com/system-configuration/saml/gsuite#step-3-enable-the-saml-app-in-google-workspace) Step 3: Enable the SAML app in Google Workspace Follow [Google's documentation to turn on the SAML apparrow-up-right](https://support.google.com/a/answer/6087519) . ### [hashtag](https://docs.panther.com/system-configuration/saml/gsuite#step-4-configure-saml-in-panther) Step 4: Configure SAML in Panther 1. Navigate back to the **Identity & Access** section in the Panther Console from Step 1. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO. circle-exclamation Panther highly recommends not setting this value to `Admin`. 1. Below the **Identity Provider URL** field, click **click here** to upload the metadata file you downloaded from Google while configuring the SAML app. 2. Click **Save Changes**. To test your setup, go to your Panther sign-in page and click **Login with SSO**. ![The Panther login page shows a "Login with SSO" option](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-5e5aa7beb6e3547f6c0d323432359430390a0067%252Fpanther-login-sso%2520%286%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=a7f29068&sv=2) [PreviousDuo SSOchevron-left](https://docs.panther.com/system-configuration/saml/duo-sso) [NextOkta SSOchevron-right](https://docs.panther.com/system-configuration/saml/okta) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/system-configuration/saml/gsuite#overview) * [How to configure SAML SSO to the Panther Console with G Suite](https://docs.panther.com/system-configuration/saml/gsuite#how-to-configure-saml-sso-to-the-panther-console-with-g-suite) * [Step 1: Obtain the SSO parameters from Panther](https://docs.panther.com/system-configuration/saml/gsuite#step-1-obtain-the-sso-parameters-from-panther) * [Step 2: Create the G Suite App](https://docs.panther.com/system-configuration/saml/gsuite#step-2-create-the-g-suite-app) * [Step 3: Enable the SAML app in Google Workspace](https://docs.panther.com/system-configuration/saml/gsuite#step-3-enable-the-saml-app-in-google-workspace) * [Step 4: Configure SAML in Panther](https://docs.panther.com/system-configuration/saml/gsuite#step-4-configure-saml-in-panther) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Tor Exit Nodes | Panther Docs [hashtag](https://docs.panther.com/enrichment/tor-exit-nodes#overview) Overview ------------------------------------------------------------------------------------ You can use Tor Exit Nodes as an enrichment source in Panther. [Torarrow-up-right](https://www.torproject.org/) is an anonymizing network for Internet browsing in which the user's client IP address is randomly picked from nodes around the world. It is also sometimes used by bad actors to hide their location. The Tor enrichment provider contains IP addresses for Tor Exit Nodes. Panther automatically updates this list of IP addresses every hour. Learn how to [view stored enrichment data here](https://docs.panther.com/enrichment#viewing-and-managing-enrichments) , and how to [view log events with enrichment data here](https://docs.panther.com/enrichment#viewing-log-events-with-enrichment-data) . [hashtag](https://docs.panther.com/enrichment/tor-exit-nodes#enabling-tor-exit-nodes-enrichment) Enabling Tor Exit Nodes enrichment ---------------------------------------------------------------------------------------------------------------------------------------- If you are using a CI/CD workflow, please see [the CI/CD Users section below](https://docs.panther.com/enrichment/tor-exit-nodes#undefined) to learn about additional considerations. To enable the Panther-managed Tor Exit Node enrichment: 1. In the left-hand navigation bar of your Panther Console, click **Detections**. 2. Click the **Packs** tab. Search for "Tor" in the search bar. * On this page, you can see the [Detection Pack](https://docs.panther.com/detections/panther-managed/packs) available for Tor Lookup Tables. Packs are disabled by default, so to use this data you will need to enable the pack first. ![The "Tor Lookup Tables" tile is displayed on the Packs page in the Panther Console.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-5a3a9d2e6f7e1cecc224a15730a67c386af434b8%252FScreen%2520Shot%25202022-10-05%2520at%25201.37.08%2520PM.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=d36b92e4&sv=2) 3. On the right side of the **Tor Lookup Tables** tile, click the **Enabled** toggle to **ON** to enable the pack. 4. Click **Continue** in the dialog that appears. ![The image shows a popup dialog labeled "Enable detection pack?". There is a blue "Continue" button at the bottom.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-4f7501310d9061a82144fc22f44bd5e25de6d04f%252Fimage.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=8559ffe1&sv=2) * If you'd like to make additional changes through CI/CD with [PAT](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) , please contact your Panther representative for more information. 5. To verify the enrichment is enabled, from the left sidebar menu, click **Configure** > **Enrichments.** * On this page, you can see all enrichment sources, whether each source is currently enabled or disabled, and when a source’s data was last refreshed. ### [hashtag](https://docs.panther.com/enrichment/tor-exit-nodes#considerations-for-ci-cd-users) Considerations for CI/CD users To enable the Tor enrichment in the CLI workflow, see the [Managing Enrichments with the Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/managing-enrichment) guide. Please note the following considerations: * CI/CD users do not need to use Detection Packs to get Tor Exit Node enrichment tables. You can pull in the latest release of `panther-analysis` and use the `panther_analysis_tool` (PAT) to upload the enrichments. * If you are using a CI/CD workflow, we advise against enabling an enrichment via Detection Packs; you should instead enable and manage enrichments via your regular CI/CD workflow. * If you choose to manage enrichments through PAT after enabling them in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage enrichments is not supported. [hashtag](https://docs.panther.com/enrichment/tor-exit-nodes#example) Example ---------------------------------------------------------------------------------- You can leverage the Tor Exit Nodes enrichment via a Python helper in detections. See the example below: [PreviousSnowflake Enrichment (Beta)chevron-left](https://docs.panther.com/enrichment/snowflake) [NextTrailDiscoverchevron-right](https://docs.panther.com/enrichment/traildiscover) Last updated 3 months ago Was this helpful? * [Overview](https://docs.panther.com/enrichment/tor-exit-nodes#overview) * [Enabling Tor Exit Nodes enrichment](https://docs.panther.com/enrichment/tor-exit-nodes#enabling-tor-exit-nodes-enrichment) * [Considerations for CI/CD users](https://docs.panther.com/enrichment/tor-exit-nodes#considerations-for-ci-cd-users) * [Example](https://docs.panther.com/enrichment/tor-exit-nodes#example) Was this helpful? sun-brightdesktopmoon Copy import panther_tor_helpers as p_tor_h def rule(event): # alert if activity is from Tor Exit Nodes return p_tor_h.TorExitNodes(event).has_exit_nodes() def alert_context(event): # add useful context for the alert, including a URL to Tor project exit node database return p_tor_h.TorExitNodes(event).context('sourceIP') sun-brightdesktopmoon --- # Data Models | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#overview) Overview ----------------------------------------------------------------------------------------------------------- Use these API operations to interact with [Data Models](https://docs.panther.com/detections/rules/python/data-models) in Panther. To call the API, see the [How to use the Panther REST API](https://docs.panther.com/panther-developer-workflows/api/rest#how-to-use-the-panther-rest-api) instructions—including [directions for how to invoke it directly from this documentation page](https://docs.panther.com/panther-developer-workflows/api/rest#step-3-invoke-the-panther-rest-api) . [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#required-permissions) Required permissions ----------------------------------------------------------------------------------------------------------------------------------- * For `GET` operations, your API token must have the `View Log Sources` permission. * For `POST`, `PUT`, and `DELETE` operations, your API token must have the `Manage Log Sources` permission. [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#operations) Operations --------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#post-data-models) create data model post https://your-api-host/data-models Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Body application/jsonchevron-down application/json bodystringOptional The python body of the data model descriptionstringOptional The description of the data model displayNamestringOptional The name used for the data model enabledbooleanOptional enables/disables a data model idstringRequired The id of the data model logTypesstring\[\]Optional The log type this data model should associate to. NOTE: only one data model can be assigned to a log type mappingsobject\[\]Optional Show propertiesplus Responses chevron-right 200 OK response. application/json bodystringOptional The python body of the data model createdAtstringOptional descriptionstringOptional The description of the data model displayNamestringOptional The name used for the data model enabledbooleanOptional enables/disables a data model idstringOptional The id of the data model lastModifiedstringOptional logTypesstring\[\]Optional The log type this data model should associate to. NOTE: only one data model can be assigned to a log type mappingsobject\[\]Optional Show propertiesplus chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 409 exists: Conflict response. application/json post /data-models HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#get-data-models-id) get data model get https://your-api-host/data-models/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the data model to fetch Responses chevron-right 200 OK response. application/json bodystringOptional The python body of the data model createdAtstringOptional descriptionstringOptional The description of the data model displayNamestringOptional The name used for the data model enabledbooleanOptional enables/disables a data model idstringOptional The id of the data model lastModifiedstringOptional logTypesstring\[\]Optional The log type this data model should associate to. NOTE: only one data model can be assigned to a log type mappingsobject\[\]Optional Show propertiesplus chevron-right 404 not\_found: Not Found response. application/json get /data-models/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#put-data-models-id) put data model put https://your-api-host/data-models/{id} put creates or updates a data model Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired the id of the data model Body application/jsonchevron-down application/json bodystringOptional The python body of the data model descriptionstringOptional The description of the data model displayNamestringOptional The name used for the data model enabledbooleanOptional enables/disables a data model idstringRequired The id of the data model logTypesstring\[\]Optional The log type this data model should associate to. NOTE: only one data model can be assigned to a log type mappingsobject\[\]Optional Show propertiesplus Responses chevron-right 200 200 returned if the item already existed application/json bodystringOptional The python body of the data model createdAtstringOptional descriptionstringOptional The description of the data model displayNamestringOptional The name used for the data model enabledbooleanOptional enables/disables a data model idstringOptional The id of the data model lastModifiedstringOptional logTypesstring\[\]Optional The log type this data model should associate to. NOTE: only one data model can be assigned to a log type mappingsobject\[\]Optional Show propertiesplus chevron-right 201 201 returned if the item was created application/json chevron-right 400 bad\_request: Bad Request response. application/json put /data-models/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 200 returned if the item already existed chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#delete-data-models-id) delete data model delete https://your-api-host/data-models/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the data model to delete Responses chevron-right 204 No Content response. chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json delete /data-models/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 204 No Content response. chevron-down No content ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#get-data-models) list data models get https://your-api-host/data-models Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Query parameters cursorstringOptional the pagination token limitinteger · int64Optional the maximum results to return Default: `100` Responses chevron-right 200 OK response. application/json nextstringOptional pagination token for the next page of results resultsobject\[\]Optional Show propertiesplus get /data-models HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. [PreviousCorrelation Ruleschevron-left](https://docs.panther.com/panther-developer-workflows/api/rest/correlation-rules) [NextGlobalschevron-right](https://docs.panther.com/panther-developer-workflows/api/rest/globals) Last updated 16 days ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#overview) * [Required permissions](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#required-permissions) * [Operations](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#operations) * [POSTcreate data model](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#post-data-models) * [GETget data model](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#get-data-models-id) * [PUTput data model](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#put-data-models-id) * [DELETEdelete data model](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#delete-data-models-id) * [GETlist data models](https://docs.panther.com/panther-developer-workflows/api/rest/data-models#get-data-models) Was this helpful? sun-brightdesktopmoon Copy POST /data-models HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 163 { "body": "text", "description": "text", "displayName": "text", "enabled": true, "id": "text", "logTypes": [\ "text"\ ], "mappings": [\ {\ "method": "text",\ "name": "text",\ "path": "text"\ }\ ] } Copy { "body": "text", "createdAt": "text", "description": "text", "displayName": "text", "enabled": true, "id": "text", "lastModified": "text", "logTypes": [\ "text"\ ], "mappings": [\ {\ "method": "text",\ "name": "text",\ "path": "text"\ }\ ] } Copy GET /data-models/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "body": "text", "createdAt": "text", "description": "text", "displayName": "text", "enabled": true, "id": "text", "lastModified": "text", "logTypes": [\ "text"\ ], "mappings": [\ {\ "method": "text",\ "name": "text",\ "path": "text"\ }\ ] } Copy PUT /data-models/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 163 { "body": "text", "description": "text", "displayName": "text", "enabled": true, "id": "text", "logTypes": [\ "text"\ ], "mappings": [\ {\ "method": "text",\ "name": "text",\ "path": "text"\ }\ ] } Copy { "body": "text", "createdAt": "text", "description": "text", "displayName": "text", "enabled": true, "id": "text", "lastModified": "text", "logTypes": [\ "text"\ ], "mappings": [\ {\ "method": "text",\ "name": "text",\ "path": "text"\ }\ ] } Copy DELETE /data-models/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy GET /data-models HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "next": "text", "results": [\ {\ "body": "text",\ "createdAt": "text",\ "description": "text",\ "displayName": "text",\ "enabled": true,\ "id": "text",\ "lastModified": "text",\ "logTypes": [\ "text"\ ],\ "mappings": [\ {\ "method": "text",\ "name": "text",\ "path": "text"\ }\ ]\ }\ ] } sun-brightdesktopmoon --- # Public Fork | Panther Docs One method you can use to leverage Panther-managed Python detections within your [CI/CD workflow](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) is to create a public fork of [panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) . A public fork is recommended if your organization would like to share your detection content publicly or you'd like to bring content upstream into [panther-labs/panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) . For information on creating a private clone of the repo, see [Private Clone](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo) . circle-info It's recommended to pull upstream changes from panther-analysis when there is a new [tagged releasearrow-up-right](https://github.com/panther-labs/panther-analysis/releases) . You can also pull from the [main brancharrow-up-right](https://github.com/panther-labs/panther-analysis/tree/main) . No other branches should be considered stable. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#configuring-a-public-fork-of-panther-analysis) Configuring a public fork of panther-analysis ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This process will create a public fork of the `panther-analysis` repository in your organization. This will serve as your working copy of `panther-analysis`, and any changes required by your organization can be made here and will undergo any configured CI checks that you define. For reference, see [GitHub's complete instructions on forking a repo herearrow-up-right](https://docs.github.com/en/get-started/quickstart/fork-a-repo) . 1. Log in to GitHub and navigate to [panther-labs/panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) . ![The image shows the upper right corner of the panther-analysis repo in Github. There is an arrow pointing to the "Fork" button.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-6f64d6a7dd38252b33364b9bb24d0f0a4bf1edb2%252Fgithub-fork.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=6a0c09bf&sv=2) 2. In the upper right corner of the repository’s main page click **Fork**. 3. On the **Create a new fork** page: 1. Uncheck the **Copy the** `**develop**` **branch only** box. ![A "Create a new fork" page in GitHub has a few form fields, like "Repository name" and "Copy the develop branch only," which is circled.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-92674a8fdcb630ffe2c0c158ec3bdbc45454d1b8%252Fdevelop%2520branch.jpg%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=b259ea15&sv=2) 2. Click **Create fork**. 4. Navigate to the **Settings** page of your forked repository. 5. Within **Default branch**, click the pencil icon to edit the default branch. 1. In the **Switch default branch to another branch** pop-up modal, select `main`. ![A "Switch default branch to another branch" modal is shown, with a dropdown field with a "main" value. There is also an "Update" button.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-76bd72fd64d7b06b241a3e719b9178c68ce69e84%252Fpartial_blur.jpg%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=4fbcd97b&sv=2) 2. Click **Update**. 6. (Optional) Unzip any of your custom detections into the same directory as your forked version of `panther-analysis`. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#keeping-your-public-fork-in-sync-with-upstream-panther-analysis-updates) Keeping your public fork in sync with upstream panther-analysis updates ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To stay in sync with upstream changes, it's recommended to use the [Sync Panther Analysis from Upstreamarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/main/.github/workflows/sync-from-upstream.yml) GitHub Action, which periodically opens a pull request against your repository's primary branch with the latest changes from `panther-analysis`. To configure this Action: 1. Create a GitHub token with the following permissions: * `Administration - Read` * `Contents - Read and write` * `Metadata - Read` * `Pull Requests - Read and write` * `Workflows - Read and write` 2. In your forked repository, add a new secret named `PANTHER_SYNC_UPSTREAM` and set its value as the token you created in the previous step. circle-exclamation If you skip this step, each time the upstream repository has changes within the `.github/workflows` directory, the Action will fail to open a PR. 1. To trigger the Action for the first time, syncing your fork with the upstream repository, in your repository in GitHub, click **Actions** > **Sync Panther Analysis from Upstream**. 2. Click **Run Workflow > Run workflow.** * Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.” * The **Sync Panther Analysis from Upstream** Action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of `.github/workflows/sync-from-upstream.yml`. 3. Merge the pull request into your primary branch, as you would with a normal pull request. Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories. If you run into issues with merge conflicts or see an error that states "all jobs have failed," please see this troubleshooting article: [How do I resolve merge conflicts and failed syncs when using the GitHub Action sync-panther-analysis-from-upstream?arrow-up-right](https://help.panther.com/Panther_Developer_Workflows/panther-analysis/How_do_I_resolve_merge_conflicts_and_failed_syncs_when_using_the_GitHub_Action_sync-panther-analysis-from-upstream%3F) ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#manual-updates) Manual updates Alternatively, you can manually update the fork. Please see [GitHub's documentationarrow-up-right](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork) to learn more about the process of manually updating the fork from its source, in this case panther-labs/panther-analysis. It is recommended to always usse the "compare" option detailed in these documents to ensure you are pulling in changes that make sense for your organization. This will display the updates as a Pull Request, and changes and comments can be made. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#next-steps) Next steps --------------------------------------------------------------------------------------------------------------------------------------- After you fork the repo, you can integrate Panther detections into your CI/CD workflow—see the documentation for [CircleCI](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci) and [GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#github-actions) GitHub Actions You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo. See [Managing Content via GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) for more information. ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#customer-contributed-content) Customer contributed content You are encouraged to contribute content back upstream to panther-analysis. To do so, create a pull request against the panther-analysis repository, and Panther's Threat Research team will review it. [PreviousPrivate Clonechevron-left](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo) [NextCI/CD for Panther Contentchevron-right](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) Last updated 7 days ago Was this helpful? * [Configuring a public fork of panther-analysis](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#configuring-a-public-fork-of-panther-analysis) * [Keeping your public fork in sync with upstream panther-analysis updates](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#keeping-your-public-fork-in-sync-with-upstream-panther-analysis-updates) * [Manual updates](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#manual-updates) * [Next steps](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#next-steps) * [GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#github-actions) * [Customer contributed content](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork#customer-contributed-content) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Snowflake Connected (Legacy) | Panther Docs [hashtag](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#overview) Overview ---------------------------------------------------------------------------------------------------------------------------------------------- circle-exclamation Panther does not support this account configuration for new accounts. Learn about Panther's supported deployment models on [Panther Deployment Types](https://docs.panther.com/system-configuration/panther-deployment-types) . If you are an existing Snowflake customer, Panther can be configured to use one of your own Snowflake accounts. The account must be new or empty. This option has also been known as "Customer-configured Snowflake" or "Bring Your Own Snowflake (BYOSF)." See recommendations for how to configure your Snowflake instance on [Snowflake Configuration for Optimal Search Performance](https://docs.panther.com/search/backend/snowflake/configuration) . In Snowflake, it is possible to share table access. This allows your business data and security data to be queried in Panther (via the `PANTHER_READ_ONLY` role). When you manage your own Snowflake instance, you can create tables and views with data ingested by Panther. Do not place these custom objects inside Panther databases. Unexpected tables and views will cause errors. Instead, create them in non-Panther databases, and share them with Panther. triangle-exclamation Do not create users or any other database objects with the prefix `PANTHER_`. ### [hashtag](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#migrating-from-panther-managed-to-snowflake-connected) Migrating from Panther-managed to Snowflake Connected If you have a Panther-managed Snowflake instance, it is possible to assume ownership of it, turning it into a Snowflake Connected instance. To do so, follow these instructions: 1. Notify your Panther support team that you'd like to assume ownership of your Panther-managed Snowflake account. 2. After receiving a prewritten message from your Panther support team, send it to your Snowflake team. The message will: * Request the Snowflake account be transferred to your organization * Include important information about your Snowflake account 3. When the account has been successfully transferred, notify your Panther support team. * Panther will provide you with login credentials to the Snowflake account. * When you log into Snowflake, you will see the transferred instance within your organization account. [hashtag](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#how-to-create-a-new-snowflake-account-for-panther) How to create a new Snowflake account for Panther -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Reach out to Panther support to learn how to configure your Snowflake account for Panther. circle-info If you have [Panther-managed](https://docs.panther.com/system-configuration/panther-deployment-types#saas) AWS, your Panther support team will provide you with a unique credential over a secure channel to use to set up a user in your Snowflake account. * Panther will configure and maintain the account for you using automated tooling. We will manage integrations, databases, warehouses, users, and roles in the new account. ### [hashtag](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#creating-read-only-roles-for-panther-data-tables) Creating read-only roles for Panther data tables Panther maintains the `pantheraccountadmin` user credentials in a secure location. If you would like to create and maintain several users with read-only access to the Panther data lake tables, see [Creating read-only roles for Panther data tables](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected#optional-creating-read-only-roles-for-panther-data-tables) . [PreviousPre-Deployment Tools (Legacy)chevron-left](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/cloud-connected-setup-without-cli-tool-legacy/pre-deployment-tools-legacy) [NextCustomer-configured Snowflake Integration (Legacy)chevron-right](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/customer-managed-snowflake) Last updated 9 months ago Was this helpful? * [Overview](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#overview) * [Migrating from Panther-managed to Snowflake Connected](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#migrating-from-panther-managed-to-snowflake-connected) * [How to create a new Snowflake account for Panther](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#how-to-create-a-new-snowflake-account-for-panther) * [Creating read-only roles for Panther data tables](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/snowflake-setup#creating-read-only-roles-for-panther-data-tables) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Private Clone | Panther Docs One method you can use to leverage Panther-managed Python detections within your [CI/CD workflow](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) is to create a private cloned repo of [panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) . If your organization would like to keep your body of detections and other associated Panther configurations private, a private cloned repo of [panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) is the best option. In this model, your local repository settings control who has access to the content inside. Once you have configured your private cloned repo as described below, you can create branches and leverage pull requests to bring in customizations to your body of detections. For information on creating a public fork of the repo, see [Public Fork](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork) . circle-info It's recommended to pull upstream changes from panther-analysis when there is a new [tagged releasearrow-up-right](https://github.com/panther-labs/panther-analysis/releases) . You can also pull from the [main brancharrow-up-right](https://github.com/panther-labs/panther-analysis/tree/main) . No other branches should be considered stable. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#configuring-the-private-clone-of-the-panther-analysis-repo) Configuring the private clone of the panther-analysis repo ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The following is the configuration we recommend based on currently supported functionality. 1. Create a private repository in GitHub. * For instructions, see [GitHub's documentation: Create a repoarrow-up-right](https://docs.github.com/en/get-started/quickstart/create-a-repo) . When setting the repository's visibility, select **Private**. * Keep the default settings - do not initialize your repository with any content. 2. Clone [panther-analysisarrow-up-right](https://github.com/panther-labs/panther-analysis) and use `git push --mirror` to seed your private cloned repo with upstream's git content and history. 1. `gh repo clone panther-labs/panther-analysis` 2. `cd panther-analysis` 3. `git checkout main` 4. `git push --mirror https://github.com/your_org/your_private_repo.git` For more information about maintaining a mirror of a repository, see [GitHub's documentation: Duplicating a repositoryarrow-up-right](https://docs.github.com/en/repositories/creating-and-managing-repositories/duplicating-a-repository) . 3. Enable correct workflow permissions for the repository in GitHub. 1. Within your private repository, navigate to **Settings** > **Actions** > **General**. 2. Make the following selections in the **Workflow permissions** section: * Toggle **Read and write permissions** on. * Check **Allow GitHub Actions to create and approve pull requests**. 3. Click **Save**. 4. Locally, clone your private repository, make a new branch, and create a directory for your local detection content within the existing **rules/** directory: 1. `git checkout -b feat/my_first_branch` 2. `mkdir rules/my_local_rules` 5. Add a sample rule: 1. Under **templates/**, locate **example\_rule.py** and **example\_rule.yml.** 2. Copy them into **rules/my\_local\_rules/**. 1. `cp templates/example_rule.* rules/my_local_rules` 6. Run `make venv` then run `make test` to set up your local Python environment and run the test suite. * If you made no changes to the files, you should see an error similar to the following: `Key 'LogTypes' error: LOG_TYPE_REGEX does not match 'LogType.Name'` 7. Resolve the errors that appeared after the previous step: 1. Change `LogType` to a known log source in Panther, such as **AWS.CloudTrail** in **example\_rule.yml** 2. Change `Filename` inside **example\_rule.yml** to **example\_rule.py**. 8. Commit your changes to your remote from the current branch. (`git rev-parse –abbrev-ref HEAD` provides the current branch, you can also opt to provide this value yourself.) 1. `git add rules/my_local_rules` 2. `git commit -m "feat: new example rules"` 3. `git push origin` \``` git rev-parse --abbrev-ref HEAD` `` * This command provides a link in the output. 9. Use the link from the output of the previous step's `git push` to create a pull request for your branch. 10. Merge your pull request and optionally delete your branch. [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#keeping-your-private-clone-in-sync-with-upstream-panther-analysis-updates) Keeping your private clone in sync with upstream panther-analysis updates ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To stay in sync with upstream changes, it's recommended to use the [Sync Panther Analysis from Upstreamarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/main/.github/workflows/sync-from-upstream.yml) GitHub Action, which periodically opens a pull request against your repository's primary branch with the latest changes from panther-analysis. To configure this Action: 1. Create a GitHub token with the following permissions: * `Administration - Read` * `Contents - Read and write` * `Metadata - Read` * `Pull Requests - Read and write` * `Workflows - Read and write` 2. In your forked repository, add a new secret named `PANTHER_SYNC_UPSTREAM` and set its value as the token you created in the previous step. circle-exclamation If you skip this step, each time the upstream repository has changes within the `.github/workflows` directory, the Action will fail to open a PR. 1. To trigger the Action for the first time, syncing your fork with the upstream repository, in your repository in GitHub, click **Actions** > **Sync Panther Analysis from Upstream**. 2. Click **Run Workflow > Run workflow.** * Once the action is complete, you will see a green circle next to the workflow run. If there are changes, you should see a new open pull request authored by GitHub Actions. If there are no changes, you should see a message similar to “Local repo already synced to latest release.” * The **Sync Panther Analysis from Upstream** Action is configured to run on a cron schedule every Tuesday at 15:00Z. You can modify this schedule on line 6 of `.github/workflows/sync-from-upstream.yml`. 3. Merge the pull request into your primary branch, as you would with a normal pull request. Your repository will reflect the merge as your latest change, and you will be able to view both your private repo and panther-analysis git histories. If you run into issues with merge conflicts or see an error that states "all jobs have failed," please see this troubleshooting article: [How do I resolve merge conflicts and failed syncs when using the GitHub Action sync-panther-analysis-from-upstream?arrow-up-right](https://help.panther.com/Panther_Developer_Workflows/panther-analysis/How_do_I_resolve_merge_conflicts_and_failed_syncs_when_using_the_GitHub_Action_sync-panther-analysis-from-upstream%3F) [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#next-steps) Next steps ----------------------------------------------------------------------------------------------------------------------------------------------- After you clone the repository, you can integrate Panther detections into your CI/CD workflow—see the documentation for [CircleCI](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci) and [GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#github-actions) GitHub Actions You can create your own GitHub Action to upload detection content to your Panther instance, and it can be configured to run automatically on each merged pull request to your repo. See [Managing Content via GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) for more information. ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#customer-contributed-content) Customer contributed content You are encouraged to contribute content back upstream to panther-analysis, however, making a pull request back upstream is only possible from a public repository. If you use a private repository and would like to contribute content, please reach out to the Panther Support team. [PreviousDeprecated Management Flowschevron-left](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated) [NextPublic Forkchevron-right](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/public-fork) Last updated 6 days ago Was this helpful? * [Configuring the private clone of the panther-analysis repo](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#configuring-the-private-clone-of-the-panther-analysis-repo) * [Keeping your private clone in sync with upstream panther-analysis updates](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#keeping-your-private-clone-in-sync-with-upstream-panther-analysis-updates) * [Next steps](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#next-steps) * [GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#github-actions) * [Customer contributed content](https://docs.panther.com/panther-developer-workflows/detections-repo/setup/deprecated/private-cloned-repo#customer-contributed-content) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Roles | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#overview) Overview ----------------------------------------------------------------------------------------------------- Use these API operations to interact with [user roles](https://docs.panther.com/system-configuration/rbac#panther-user-roles) in Panther. To call the API, see the [How to use the Panther REST API](https://docs.panther.com/panther-developer-workflows/api/rest#how-to-use-the-panther-rest-api) instructions—including [directions for how to invoke it directly from this documentation page](https://docs.panther.com/panther-developer-workflows/api/rest#step-3-invoke-the-panther-rest-api) . [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#required-permissions) Required permissions ----------------------------------------------------------------------------------------------------------------------------- * For `GET` operations, your API token must have the `Read User Info` permission. * For `POST` and `DELETE` operations, your API token must have the `Manage Users` permission. [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#operations) Operations --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#post-roles) Create a role post https://your-api-host/roles Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Body application/jsonchevron-down application/json logTypeAccessstring\[\]Optional The log types that the role can or cannot access, according to the `logTypeAccessKind` field. This field should be omitted if `logTypeAccessKind` has a value of `ALLOW_ALL` or `DENY_ALL` logTypeAccessKindstring · enumOptional Defines the role's access to log types. This field is required and has effect only if the datalake RBAC feature is enabled. Possible values: `ALLOW``ALLOW_ALL``DENY``DENY_ALL` namestringRequired The name of the role permissionsstring · enum\[\]Required Show propertiesplus Responses chevron-right 200 OK response. application/json createdAtstringOptional idstringOptional ID of the role logTypeAccessstring\[\]Optional The log types that the role can or cannot access, according to the `logTypeAccessKind` field. This field should be omitted if `logTypeAccessKind` has a value of `ALLOW_ALL` or `DENY_ALL` logTypeAccessKindstring · enumRequired Defines the role's access to log types. This field is required and has effect only if the datalake RBAC feature is enabled. Possible values: `ALLOW``ALLOW_ALL``DENY``DENY_ALL` namestringRequired The name of the role permissionsstring · enum\[\]Required Show propertiesplus updatedAtstringOptional chevron-right 400 bad\_request: Bad Request response. application/json post /roles HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#get-roles-id) Get a role get https://your-api-host/roles/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the role Responses chevron-right 200 OK response. application/json createdAtstringOptional idstringOptional ID of the role logTypeAccessstring\[\]Optional The log types that the role can or cannot access, according to the `logTypeAccessKind` field. This field should be omitted if `logTypeAccessKind` has a value of `ALLOW_ALL` or `DENY_ALL` logTypeAccessKindstring · enumRequired Defines the role's access to log types. This field is required and has effect only if the datalake RBAC feature is enabled. Possible values: `ALLOW``ALLOW_ALL``DENY``DENY_ALL` namestringRequired The name of the role permissionsstring · enum\[\]Required Show propertiesplus updatedAtstringOptional chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json get /roles/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#post-roles-id) Update a role post https://your-api-host/roles/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the role Body application/jsonchevron-down application/json logTypeAccessstring\[\]Optional The log types that the role can or cannot access, according to the `logTypeAccessKind` field. This field should be omitted if `logTypeAccessKind` has a value of `ALLOW_ALL` or `DENY_ALL` logTypeAccessKindstring · enumOptional Defines the role's access to log types. This field is required and has effect only if the datalake RBAC feature is enabled. Possible values: `ALLOW``ALLOW_ALL``DENY``DENY_ALL` namestringRequired The name of the role permissionsstring · enum\[\]Required Show propertiesplus Responses chevron-right 200 OK response. application/json createdAtstringOptional idstringOptional ID of the role logTypeAccessstring\[\]Optional The log types that the role can or cannot access, according to the `logTypeAccessKind` field. This field should be omitted if `logTypeAccessKind` has a value of `ALLOW_ALL` or `DENY_ALL` logTypeAccessKindstring · enumRequired Defines the role's access to log types. This field is required and has effect only if the datalake RBAC feature is enabled. Possible values: `ALLOW``ALLOW_ALL``DENY``DENY_ALL` namestringRequired The name of the role permissionsstring · enum\[\]Required Show propertiesplus updatedAtstringOptional chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json post /roles/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#delete-roles-id) Delete a role delete https://your-api-host/roles/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the role Responses chevron-right 200 OK response. No content chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json delete /roles/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down No content ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/roles#get-roles) List roles get https://your-api-host/roles Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Query parameters name-containsstringOptional A string to search for in the Role name namestringOptional An exact match of a role's name to return. If provided all other parameters are ignored idstring\[\]Optional Set of IDS to return idsstringOptional A comma delimited list of IDs sort-dirstring · enumOptional The sort direction of the results Default: `asc`Possible values: `asc``desc` Responses chevron-right 200 OK response. application/json nextstringOptional Pagination token for the next page of results resultsobject\[\]Required Show propertiesplus get /roles HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. [PreviousQuerieschevron-left](https://docs.panther.com/panther-developer-workflows/api/rest/queries) [NextRuleschevron-right](https://docs.panther.com/panther-developer-workflows/api/rest/rules) Last updated 14 days ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/rest/roles#overview) * [Required permissions](https://docs.panther.com/panther-developer-workflows/api/rest/roles#required-permissions) * [Operations](https://docs.panther.com/panther-developer-workflows/api/rest/roles#operations) * [POSTCreate a role](https://docs.panther.com/panther-developer-workflows/api/rest/roles#post-roles) * [GETGet a role](https://docs.panther.com/panther-developer-workflows/api/rest/roles#get-roles-id) * [POSTUpdate a role](https://docs.panther.com/panther-developer-workflows/api/rest/roles#post-roles-id) * [DELETEDelete a role](https://docs.panther.com/panther-developer-workflows/api/rest/roles#delete-roles-id) * [GETList roles](https://docs.panther.com/panther-developer-workflows/api/rest/roles#get-roles) Was this helpful? sun-brightdesktopmoon Copy POST /roles HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 98 { "logTypeAccess": [\ "text"\ ], "logTypeAccessKind": "ALLOW", "name": "text", "permissions": [\ "AlertModify"\ ] } Copy { "createdAt": "text", "id": "text", "logTypeAccess": [\ "text"\ ], "logTypeAccessKind": "ALLOW", "name": "text", "permissions": [\ "AlertModify"\ ], "updatedAt": "text" } Copy GET /roles/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "createdAt": "text", "id": "text", "logTypeAccess": [\ "text"\ ], "logTypeAccessKind": "ALLOW", "name": "text", "permissions": [\ "AlertModify"\ ], "updatedAt": "text" } Copy POST /roles/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 98 { "logTypeAccess": [\ "text"\ ], "logTypeAccessKind": "ALLOW", "name": "text", "permissions": [\ "AlertModify"\ ] } Copy { "createdAt": "text", "id": "text", "logTypeAccess": [\ "text"\ ], "logTypeAccessKind": "ALLOW", "name": "text", "permissions": [\ "AlertModify"\ ], "updatedAt": "text" } Copy DELETE /roles/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy GET /roles HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "next": "text", "results": [\ {\ "createdAt": "text",\ "id": "text",\ "logTypeAccess": [\ "text"\ ],\ "logTypeAccessKind": "ALLOW",\ "name": "text",\ "permissions": [\ "AlertModify"\ ],\ "updatedAt": "text"\ }\ ] } sun-brightdesktopmoon --- # PantherFlow Examples: Panther Audit Logs | Panther Docs Query the `panther_logs.public.panther_audit` table: Copy panther_logs.public.panther_audit Return up to 10 results: Copy panther_logs.public.panther_audit | limit 10 Sort by `p_event_time`: Copy panther_logs.public.panther_audit | sort p_event_time desc | limit 10 Filter on the last 24 hours: Copy panther_logs.public.panther_audit | where p_event_time > time.now() - 1d | sort p_event_time desc | limit 10 Filter on timestamp: Copy panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') | sort p_event_time desc | limit 10 Filter on a nested field (using dot notation) Filter on a nested field (using bracket notation) Check that a deeply nested value within an array exists (i.e., is not null) Count events: Count number of actions: Only show rare actions: Show new IPs used by a user in the last 7 days vs. those they used in the last 60 days: [PreviousPantherFlow Examples: SOC Operationschevron-left](https://docs.panther.com/pantherflow/example-queries/soc-operations) [NextEnrichmentchevron-right](https://docs.panther.com/enrichment) Last updated 10 months ago Was this helpful? Was this helpful? sun-brightdesktopmoon Copy panther_logs.public.panther_audit | where actor.name == "[email protected]" Copy panther_logs.public.panther_audit | where actor['name'] == "[email protected]" Copy panther_logs.public.panther_audit | where actionParams.dynamic.input.tableProperties[0].propertyId != null Copy panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') | summarize row_count=agg.count() Copy panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED" | summarize num_events=agg.count() by actionName Copy panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED" | summarize num_events=agg.count() by actionName | where num_events < 5 | sort num_events asc Copy let new_logins = panther_logs.public.panther_audit | where p_event_time > time.ago(7d) and p_udm.user.email != null | summarize recent_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email; panther_logs.public.panther_audit | where p_event_time > time.ago(60d) and p_event_time < time.ago(7d) and p_udm.user.email != null | summarize baseline_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email | join kind=inner new=(new_logins) on $left.email == $right.email | where new.recent_ips[0] not in baseline_ips sun-brightdesktopmoon --- # Rules | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#overview) Overview ----------------------------------------------------------------------------------------------------- Use these API operations to interact with [rules](https://docs.panther.com/detections/rules) in Panther. The rules API entity is only applicable to [Python rules](https://docs.panther.com/detections/rules/python) . To interact with rules created as [Simple/YAML](https://docs.panther.com/detections#simple-detections) rules, see [Simple Rules](https://docs.panther.com/panther-developer-workflows/api/rest/simple-rules) . To call the API, see the [How to use the Panther REST API](https://docs.panther.com/panther-developer-workflows/api/rest#how-to-use-the-panther-rest-api) instructions—including [directions for how to invoke it directly from this documentation page](https://docs.panther.com/panther-developer-workflows/api/rest#step-3-invoke-the-panther-rest-api) . [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#required-permissions) Required permissions ----------------------------------------------------------------------------------------------------------------------------- * For `GET` operations, your API token must have the `View Rules` permission. * For `POST`, `PUT`, and `DELETE` operations, your API token must have the `Manage Rules` permission. [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#operations) Operations --------------------------------------------------------------------------------------------------------- circle-info The below API endpoints are for Python-based rules only. To interact with other detection types, see their pages: [Scheduled Rulesarrow-up-right](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules) , [Simple Detectionsarrow-up-right](https://docs.panther.com/panther-developer-workflows/api/rest/simple-rules) , and [cloud policiesarrow-up-right](https://docs.panther.com/panther-developer-workflows/api/rest/policies) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#post-rules) create rule post https://your-api-host/rules Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Query parameters run-tests-firstbooleanOptional set this field to false to exclude running tests prior to saving Default: `true` run-tests-onlybooleanOptional set this field to true if you want to run tests without saving Default: `false` Body application/jsonchevron-down application/json bodystringRequired The python body of the rule createAlertbooleanOptional Determines whether the rule should create alerts when it triggers dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the rule displayNamestringOptional The display name of the rule enabledbooleanOptional Determines whether or not the rule is active idstringRequired The id of the rule inlineFiltersstringOptional The filter for the rule represented in YAML logTypesstring\[\]Optional log types managedbooleanOptional Determines if the rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert severitystring · enumRequiredPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` Responses chevron-right 200 OK response. application/json bodystringOptional The python body of the rule createAlertbooleanOptional Determines whether the rule should create alerts when it triggers createdAtstringOptional createdByobjectOptional The actor who created the rule Show propertiesplus createdByExternalstringOptional The text of the user-provided CreatedBy field when uploaded via CI/CD dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the rule displayNamestringOptional The display name of the rule enabledbooleanOptional Determines whether or not the rule is active idstringOptional The id of the rule inlineFiltersstringOptional The filter for the rule represented in YAML lastModifiedstringOptional logTypesstring\[\]Optional log types managedbooleanOptional Determines if the rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert severitystring · enumOptionalPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` chevron-right 204 No Content response. chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 409 exists: Conflict response. application/json post /rules HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#get-rules-id) get rule get https://your-api-host/rules/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the rule to fetch Responses chevron-right 200 OK response. application/json bodystringOptional The python body of the rule createAlertbooleanOptional Determines whether the rule should create alerts when it triggers createdAtstringOptional createdByobjectOptional The actor who created the rule Show propertiesplus createdByExternalstringOptional The text of the user-provided CreatedBy field when uploaded via CI/CD dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the rule displayNamestringOptional The display name of the rule enabledbooleanOptional Determines whether or not the rule is active idstringOptional The id of the rule inlineFiltersstringOptional The filter for the rule represented in YAML lastModifiedstringOptional logTypesstring\[\]Optional log types managedbooleanOptional Determines if the rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert severitystring · enumOptionalPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` chevron-right 404 not\_found: Not Found response. application/json get /rules/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#put-rules-id) put rule put https://your-api-host/rules/{id} put creates or updates a rule Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired the id of the rule Query parameters run-tests-firstbooleanOptional set this field to false to exclude running tests prior to saving Default: `true` run-tests-onlybooleanOptional set this field to true if you want to run tests without saving Default: `false` Body application/jsonchevron-down application/json bodystringRequired The python body of the rule createAlertbooleanOptional Determines whether the rule should create alerts when it triggers dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the rule displayNamestringOptional The display name of the rule enabledbooleanOptional Determines whether or not the rule is active idstringRequired The id of the rule inlineFiltersstringOptional The filter for the rule represented in YAML logTypesstring\[\]Optional log types managedbooleanOptional Determines if the rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert severitystring · enumRequiredPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` Responses chevron-right 200 200 returned if the item already existed application/json bodystringOptional The python body of the rule createAlertbooleanOptional Determines whether the rule should create alerts when it triggers createdAtstringOptional createdByobjectOptional The actor who created the rule Show propertiesplus createdByExternalstringOptional The text of the user-provided CreatedBy field when uploaded via CI/CD dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the rule displayNamestringOptional The display name of the rule enabledbooleanOptional Determines whether or not the rule is active idstringOptional The id of the rule inlineFiltersstringOptional The filter for the rule represented in YAML lastModifiedstringOptional logTypesstring\[\]Optional log types managedbooleanOptional Determines if the rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert severitystring · enumOptionalPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` chevron-right 201 201 returned if the item was created application/json chevron-right 204 No Content response. chevron-right 400 bad\_request: Bad Request response. application/json put /rules/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 200 returned if the item already existed chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#delete-rules-id) delete rule delete https://your-api-host/rules/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the rule to delete Responses chevron-right 204 No Content response. chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json delete /rules/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 204 No Content response. chevron-down No content ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/rules#get-rules) list rules get https://your-api-host/rules Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Query parameters cursorstringOptional the pagination token limitinteger · int64Optional the maximum results to return Default: `100` name-containsstringOptional Substring search by name (case-insensitive) statestring · enumOptional Only include rules in the given state Possible values: `enabled``disabled` log-typestring\[\]Optional Only include rules which apply to one of the given log types severitystring · enum\[\]Optional Only include rules with one of the given severities Show propertiesplus tagstring\[\]Optional Only include rules with one of the given tags (case-insensitive) created-bystringOptional Only include rules whose creator matches this user ID or actor ID last-modified-bystringOptional Only include rules last modified by this user ID or actor ID Responses chevron-right 200 OK response. application/json nextstringOptional pagination token for the next page of results resultsobject\[\]Optional Show propertiesplus get /rules HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. [PreviousRoleschevron-left](https://docs.panther.com/panther-developer-workflows/api/rest/roles) [NextScheduled Ruleschevron-right](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/rest/rules#overview) * [Required permissions](https://docs.panther.com/panther-developer-workflows/api/rest/rules#required-permissions) * [Operations](https://docs.panther.com/panther-developer-workflows/api/rest/rules#operations) * [POSTcreate rule](https://docs.panther.com/panther-developer-workflows/api/rest/rules#post-rules) * [GETget rule](https://docs.panther.com/panther-developer-workflows/api/rest/rules#get-rules-id) * [PUTput rule](https://docs.panther.com/panther-developer-workflows/api/rest/rules#put-rules-id) * [DELETEdelete rule](https://docs.panther.com/panther-developer-workflows/api/rest/rules#delete-rules-id) * [GETlist rules](https://docs.panther.com/panther-developer-workflows/api/rest/rules#get-rules) Was this helpful? sun-brightdesktopmoon Copy POST /rules HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 458 { "body": "text", "createAlert": true, "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "inlineFilters": "text", "logTypes": [\ "text"\ ], "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy { "body": "text", "createAlert": true, "createdAt": "text", "createdBy": { "id": "user", "type": "text" }, "createdByExternal": "text", "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "inlineFilters": "text", "lastModified": "text", "logTypes": [\ "text"\ ], "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy GET /rules/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "body": "text", "createAlert": true, "createdAt": "text", "createdBy": { "id": "user", "type": "text" }, "createdByExternal": "text", "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "inlineFilters": "text", "lastModified": "text", "logTypes": [\ "text"\ ], "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy PUT /rules/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 458 { "body": "text", "createAlert": true, "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "inlineFilters": "text", "logTypes": [\ "text"\ ], "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy { "body": "text", "createAlert": true, "createdAt": "text", "createdBy": { "id": "user", "type": "text" }, "createdByExternal": "text", "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "inlineFilters": "text", "lastModified": "text", "logTypes": [\ "text"\ ], "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy DELETE /rules/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy GET /rules HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "next": "text", "results": [\ {\ "body": "text",\ "createAlert": true,\ "createdAt": "text",\ "createdBy": {\ "id": "user",\ "type": "text"\ },\ "createdByExternal": "text",\ "dedupPeriodMinutes": 60,\ "description": "text",\ "displayName": "text",\ "enabled": true,\ "id": "text",\ "inlineFilters": "text",\ "lastModified": "text",\ "logTypes": [\ "text"\ ],\ "managed": true,\ "outputIDs": [\ "text"\ ],\ "reports": {\ "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ]\ },\ "runbook": "text",\ "severity": "INFO",\ "summaryAttributes": [\ "text"\ ],\ "tags": [\ "text"\ ],\ "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ],\ "threshold": 1\ }\ ] } sun-brightdesktopmoon --- # Users | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#overview) Overview ----------------------------------------------------------------------------------------------------- Use these API operations to interact with [users](https://docs.panther.com/system-configuration#user-and-user-role-settings) in Panther. To call the API, see the [How to use the Panther REST API](https://docs.panther.com/panther-developer-workflows/api/rest#how-to-use-the-panther-rest-api) instructions—including [directions for how to invoke it directly from this documentation page](https://docs.panther.com/panther-developer-workflows/api/rest#step-3-invoke-the-panther-rest-api) . [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#required-permissions) Required permissions ----------------------------------------------------------------------------------------------------------------------------- * For `GET` operations, your API token must have the `Read User Info` permission. * For `POST` and `DELETE` operations, your API token must have the `Manage Users` permission. [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#operations) Operations --------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#post-users) Create a user post https://your-api-host/users Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Body application/jsonchevron-down application/json emailstringRequired The email address of the user familyNamestringRequired The family/last name of the user givenNamestringRequired The given/first name of the user roleobjectRequired Show propertiesplus Responses chevron-right 200 OK response. application/json createdAtstringOptional emailstringRequired The email address of the user enabledbooleanRequired Whether the user is active or deactivated familyNamestringRequired The family/last name of the user givenNamestringRequired The given/first name of the user idstringOptional ID of the user lastLoggedInAtstringOptional roleobjectRequired Show propertiesplus statusstringOptional The Cognito auth-related status of this User chevron-right 400 bad\_request: Bad Request response. application/json post /users HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#get-users-id) Get a user get https://your-api-host/users/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the user Responses chevron-right 200 OK response. application/json createdAtstringOptional emailstringRequired The email address of the user enabledbooleanRequired Whether the user is active or deactivated familyNamestringRequired The family/last name of the user givenNamestringRequired The given/first name of the user idstringOptional ID of the user lastLoggedInAtstringOptional roleobjectRequired Show propertiesplus statusstringOptional The Cognito auth-related status of this User chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json get /users/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#post-users-id) Update a user post https://your-api-host/users/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the user Body application/jsonchevron-down application/json emailstringRequired The email address of the user familyNamestringRequired The family/last name of the user givenNamestringRequired The given/first name of the user roleobjectRequired Show propertiesplus Responses chevron-right 200 OK response. application/json createdAtstringOptional emailstringRequired The email address of the user enabledbooleanRequired Whether the user is active or deactivated familyNamestringRequired The family/last name of the user givenNamestringRequired The given/first name of the user idstringOptional ID of the user lastLoggedInAtstringOptional roleobjectRequired Show propertiesplus statusstringOptional The Cognito auth-related status of this User chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json post /users/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#delete-users-id) Delete a user delete https://your-api-host/users/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the user Responses chevron-right 200 OK response. No content chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json delete /users/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down No content ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/users#get-users) List users get https://your-api-host/users Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Query parameters cursorstringOptional Pagination token limitinteger · int64 · min: 1 · max: 60Optional Maximum number of results to return Default: `60` containsstringOptional Search name and email fields in a case-insensitive fashion emailstringOptional An exact match of a user's email to return. If provided all other parameters are ignored idstring\[\]Optional Set of IDS to return idsstringOptional A comma delimited list of IDs include-deactivatedbooleanOptional Include deactivated users statusstringOptional Show only users with this Cognito status Responses chevron-right 200 OK response. application/json nextstringOptional Pagination token for the next page of results resultsobject\[\]Required Show propertiesplus get /users HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. [PreviousPolicieschevron-left](https://docs.panther.com/panther-developer-workflows/api/rest/policies) [NextGraphQL APIchevron-right](https://docs.panther.com/panther-developer-workflows/api/graphql) Last updated 14 days ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/rest/users#overview) * [Required permissions](https://docs.panther.com/panther-developer-workflows/api/rest/users#required-permissions) * [Operations](https://docs.panther.com/panther-developer-workflows/api/rest/users#operations) * [POSTCreate a user](https://docs.panther.com/panther-developer-workflows/api/rest/users#post-users) * [GETGet a user](https://docs.panther.com/panther-developer-workflows/api/rest/users#get-users-id) * [POSTUpdate a user](https://docs.panther.com/panther-developer-workflows/api/rest/users#post-users-id) * [DELETEDelete a user](https://docs.panther.com/panther-developer-workflows/api/rest/users#delete-users-id) * [GETList users](https://docs.panther.com/panther-developer-workflows/api/rest/users#get-users) Was this helpful? sun-brightdesktopmoon Copy POST /users HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 90 { "email": "text", "familyName": "text", "givenName": "text", "role": { "id": "text", "name": "text" } } Copy { "createdAt": "text", "email": "text", "enabled": true, "familyName": "text", "givenName": "text", "id": "text", "lastLoggedInAt": "text", "role": { "id": "text", "name": "text" }, "status": "text" } Copy GET /users/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "createdAt": "text", "email": "text", "enabled": true, "familyName": "text", "givenName": "text", "id": "text", "lastLoggedInAt": "text", "role": { "id": "text", "name": "text" }, "status": "text" } Copy POST /users/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 90 { "email": "text", "familyName": "text", "givenName": "text", "role": { "id": "text", "name": "text" } } Copy { "createdAt": "text", "email": "text", "enabled": true, "familyName": "text", "givenName": "text", "id": "text", "lastLoggedInAt": "text", "role": { "id": "text", "name": "text" }, "status": "text" } Copy DELETE /users/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy GET /users HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "next": "text", "results": [\ {\ "createdAt": "text",\ "email": "text",\ "enabled": true,\ "familyName": "text",\ "givenName": "text",\ "id": "text",\ "lastLoggedInAt": "text",\ "role": {\ "id": "text",\ "name": "text"\ },\ "status": "text"\ }\ ] } sun-brightdesktopmoon --- # Cloud Account Management | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#overview) Overview ---------------------------------------------------------------------------------------------------------------- The Panther API supports the following cloud account operations: * Listing your cloud account integrations * Fetching the details of a particular cloud account integration * Creating a new cloud account integration * Updating an existing cloud account integration * Deleting a cloud account integration You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on [Panther API](https://docs.panther.com/panther-developer-workflows/api#step-1-choose-a-method-for-invoking-the-api) . See [Cloud Security Scanning](https://docs.panther.com/cloud-scanning) to learn more about how to monitor cloud resource configurations with Panther. [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#common-cloud-account-operations) Common cloud account operations -------------------------------------------------------------------------------------------------------------------------------------------------------------- Below are some of the most common GraphQL cloud account operations in Panther. These examples demonstrate the documents you have to send using a GraphQL client (or `curl`) to make a call to Panther's GraphQL API. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#listing-cloud-accounts) Listing cloud accounts Copy query cloudAccounts { cloudAccounts { edges { node { awsAccountId awsRegionIgnoreList awsScanConfig { auditRole } awsStackName createdAt createdBy { ... on User { id } ... on APIToken { id } } id isEditable isRealtimeScanningEnabled label lastModifiedAt resourceRegexIgnoreList resourceTypeIgnoreList } } } } #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#retrieving-a-cloud-account) Retrieving a cloud account #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#creating-a-cloud-account) Creating a cloud account Panther's [Cloud Security Scanning](https://docs.panther.com/cloud-scanning) is automatically enabled when you onboard a cloud account using `CreateCloudAccount`. Note, however, that you'll still need to [create an IAM role for Panther in your AWS account](https://docs.panther.com/cloud-scanning#creating-an-iam-role-manually-or-with-other-automation) . #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#updating-a-cloud-account) Updating a cloud account #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#deleting-a-cloud-account) Deleting a cloud account [PreviousAlerts & Errorschevron-left](https://docs.panther.com/panther-developer-workflows/api/graphql/alerts-and-errors) [NextData Lake Querieschevron-right](https://docs.panther.com/panther-developer-workflows/api/graphql/data-lake-queries) Last updated 1 year ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#overview) * [Common cloud account operations](https://docs.panther.com/panther-developer-workflows/api/graphql/cloud-account#common-cloud-account-operations) Was this helpful? sun-brightdesktopmoon Copy query cloudAccount { cloudAccount(id:"CLOUD_ACCOUNT_ID") { awsAccountId awsRegionIgnoreList awsScanConfig { auditRole } awsStackName createdAt createdBy { ... on User { id } ... on APIToken { id } } id isEditable isRealtimeScanningEnabled label lastModifiedAt resourceRegexIgnoreList resourceTypeIgnoreList } } Copy mutation CreateCloudAccount { createCloudAccount(input: { awsAccountId: "AWS_ACCOUNT_ID" awsScanConfig: { auditRole: "AUDIT_ROLE" } label: "new cloud account source" }) { cloudAccount { id } } } Copy mutation UpdateCloudAccount { updateCloudAccount( input: { awsRegionIgnoreList: [\ "us-west-1"\ ] awsScanConfig: { auditRole: "ROLE_ARN" } id:"CLOUD_ACCOUNT_INTEGRATION_ID" label: "some updated label" resourceRegexIgnoreList: [".*west-1*"] resourceTypeIgnoreList: ["AWS.KMS.Key"] }) { cloudAccount { id } } } Copy mutation DeleteCloudAccount { deleteCloudAccount(input: {id: "CLOUD_ACCOUNT_ID"}) { id } } sun-brightdesktopmoon --- # User & Role Management | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#overview) Overview ------------------------------------------------------------------------------------------------------------------ The Panther API supports the following user and role operations: * List users * Get a user by ID or by email address * Invite new users * Update a user's information and role * Delete users * List roles * Get a role by ID or by name * Create a new role * Update a role's information and permissions * Delete roles You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on [Panther API](https://docs.panther.com/panther-developer-workflows/api#step-1-choose-a-method-for-invoking-the-api) . See the sections below for GraphQL queries, mutations, and end-to-end workflow examples around core user and role management operations. [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#common-user-and-role-management-operations) Common user and role management operations -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Below are some of the most common GraphQL user and role management operations in Panther. These examples demonstrate the documents you have to send using a GraphQL client (or `curl`) to make a call to Panther's GraphQL API. Note: The `createdAt` field is in ISO 8601 date and time standard. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#listing-users) Listing Users #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#retrieving-a-user) Retrieving a User User by Email Address User by ID #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#inviting-a-new-user) Inviting a new User #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#updating-a-user) Updating a User #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#deleting-a-user) Deleting a User #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#listing-roles) Listing Roles #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#retrieving-a-role) Retrieving a Role Role by Name Role by ID #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#creating-a-new-role) Creating a new Role circle-exclamation **Note:** The permission `UserModify` provides full admin access to the Panther platform. Use discretion when assigning this permission to new roles. Basic RBAC per log type enabled #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#updating-a-role) Updating a Role circle-exclamation **Note:** The permissions in the updateRole input must contain **all** desired permissions for the role. Basic RBAC per log type enabled #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#deleting-a-role) Deleting a Role [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#end-to-end-examples) End-to-end examples ---------------------------------------------------------------------------------------------------------------------------------------- Below, we will build on the [Common Operations](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#common-operations) examples to showcase an end-to-end flow. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#create-a-new-user-administrator-role-and-invite-a-user-to-that-role) **Create a new user administrator role and invite a user to that role.** Python NodeJS [PreviousToken Rotationchevron-left](https://docs.panther.com/panther-developer-workflows/api/graphql/token-rotation) [NextAPI Playgroundchevron-right](https://docs.panther.com/panther-developer-workflows/api/api-playground) Last updated 11 months ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#overview) * [Common user and role management operations](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#common-user-and-role-management-operations) * [End-to-end examples](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management#end-to-end-examples) Was this helpful? sun-brightdesktopmoon Copy query users { users { id givenName familyName email status createdAt lastLoggedInAt role { name id permissions } } } Copy query user { userByEmail(email: "[email protected]") { id givenName familyName email role { name id permissions } status createdAt } } Copy query user { userById(id: "8h81hfh-ij828db") { id givenName familyName email role { name id permissions } status createdAt } } Copy mutation inviteUser { inviteUser(input: { email: "[email protected]" givenName: "firstname" familyName: "lastname" role: { kind: NAME value: "Analyst" } }) { user { id status } } } Copy mutation updateUser { updateUser(input: { id: "8h81hfh-ij828db" familyName: "newName" }) { user { email givenName familyName } } } Copy mutation deleteUser{ deleteUser(input: { id: "8h81hfh-ij828db" }) { id # the delete operation doesn't return a `user` object; just an ID } } Copy query roles { roles( # This input is optional. Without input, the query will return all roles. input: { nameContains: "admin", sortDir: ascending }) { createdAt id name permissions updatedAt updatedBy { ... on User { email id } ... on APIToken { id name } } # Used only if RBAC per log type is enabled logTypeAccess logTypeAccessKind } } Copy query adminRole { roleByName( name: "admin" ) { createdAt id name permissions updatedAt updatedBy { ... on User { email id } ... on APIToken { id name } } # Used only if RBAC per log type is enabled logTypeAccess logTypeAccessKind } } Copy query adminRole { roleById( id: "feeafade-c545" ) { createdAt id logTypeAccess logTypeAccessKind name permissions updatedAt updatedBy { ... on User { email id } ... on APIToken { id name } } # Used only if RBAC per log type is enabled logTypeAccess logTypeAccessKind } } Copy mutation createRole { createRole(input: { name: "new-role" permissions: [\ UserRead\ AlertRead\ ] }) { role { name id permissions } } } Copy mutation createRole { createRole(input: { name: "new-role" permissions: [\ UserRead\ AlertRead\ ] # Used only if the RBAC per log type feature is enabled logTypeAccess:["AWS.ALB"] logTypeAccessKind: ALLOW }) { role { name id permissions logTypeAccess logTypeAccessKind } } } Copy mutation updateRole { updateRole(input: { id: "fea8sje-92jdnhc" name: "updated-role-name" permissions: [\ UserRead\ AlertRead\ AlertModify\ ] }) { role { name id permissions } } } Copy mutation updateRole { updateRole(input: { id: "fea8sje-92jdnhc" name: "updated-role-name" permissions: [\ UserRead\ AlertRead\ AlertModify\ ] # Used only if the RBAC per log type feature is enabled logTypeAccess:["AWS.ALB"] logTypeAccessKind: DENY }) { role { name id permissions logTypeAccess logTypeAccessKind } } } Copy mutation deleteRole { deleteRole(input: { id: "e146c8d8-c6a5" }) { id # The delete operation doesn't return a `role` object. Just an ID. } } Copy # pip install gql aiohttp from gql import gql, Client from gql.transport.aiohttp import AIOHTTPTransport transport = AIOHTTPTransport( url="YOUR_PANTHER_API_URL", headers={"X-API-Key": "YOUR_API_KEY"}, ) client = Client(transport=transport, fetch_schema_from_transport=True) create_user_admin = gql( """ mutation newAdminRole { createRole (input: { name: "user-admin" permissions: [\ UserRead\ UserModify\ OrganizationAPITokenRead\ GeneralSettingsRead\ ] }) { role { name id } } } """ ) invite_user = gql( """ mutation inviteUser($input: InviteUserInput!) { inviteUser (input: $input) { user { id email } } } """ ) new_role_data = client.execute( create_user_admin ) print(f'new role ID is {new_role_data["createRole"]["role"]["id"]}') response_data = client.execute( invite_user, variable_values= { "input": { "email": "[email protected]", "givenName": "user", "familyName": "admin", "role": { "kind": "ID", "value": new_role_data["createRole"]["role"]["id"], } } } ) print(f'Successfully invited user {response_data["inviteUser"]["user"]["email"]} with role {new_role_data["createRole"]["role"]["name"]}.' Copy import { GraphQLClient, gql } from "graphql-request"; const client = new GraphQLClient( "YOUR_PANTHER_API_URL", { headers: { "X-API-Key": "YOUR_API_KEY" } } ); // `createUserAdmin` is a nickname for the query. You can fully omit it. const createUserAdmin = gql` mutation newAdminRole { createRole( input: { name: "user-admin" permissions: [\ UserRead\ UserModify\ OrganizationAPITokenRead\ GeneralSettingsRead\ ] } ) { role { name id } } } `; // `inviteUser` is a nickname for the mutation. You can fully omit it. const inviteUser = gql` mutation inviteUser($input: InviteUserInput!) { inviteUser(input: $input) { user { id email } } } `; (async () => { try { const newRoleData = await client.request(createUserAdmin); const inviteUserOutput = await client.request(inviteUser, { input: { email: "[email protected]", givenName: "user", familyName: "admin", role: { kind: "ID", value: newRoleData.createRole.role.id } } }); console.log( `Successfully invited user ${inviteUserOutput.inviteUser.user.email} with role ${newRoleData.createRole.role.name}.` ); } catch (err) { console.error(err); } })(); sun-brightdesktopmoon --- # Log Source Management | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#overview) Overview ------------------------------------------------------------------------------------------------------------- The Panther API supports the following log source operations: * Listing your log source integrations * Fetching the details of a particular log source integration * Deleting a log source integration * (For S3 sources only) Creating a new log source integration * (For S3 sources only) Updating an existing log source integration circle-info The `ListSources`, `GetSource`, and `DeleteSource` operations are supported for any log source in Panther. The create and update operations (`CreateS3LogSource` and `UpdateS3LogSource`) are currently limited to only S3 log sources. You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on [Panther API](https://docs.panther.com/panther-developer-workflows/api#step-1-choose-a-method-for-invoking-the-api) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#required-api-token-permissions) Required API token permissions Before starting to make API calls, ensure your API token has the necessary permissions attached: * **View Log Sources**: Required for all log source management operations. * **Manage Log Sources**: Required for the log source management operations that are mutations (i.e., `CreateS3LogSource`, `UpdateS3LogSource`, and `DeleteSource`). * **Read User Info**: Required if you would like to retrieve integration fields related to an actor, such as `createdBy`. ![An "Integrations" header is above four checkboxes: View Cloud Security Sources, Manage Cloud Security Sources, View Log Sources, and Manage Log Sources.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-4692296563f124328e000bab991e05d423db5e2b%252FScreenshot%25202023-06-12%2520at%25203.45.48%2520PM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=510616b8&sv=2) [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#common-log-source-operations) Common log source operations ----------------------------------------------------------------------------------------------------------------------------------------------------- Below are some of the most common GraphQL log source operations in Panther. These examples demonstrate the documents you have to send using a GraphQL client (or `curl`) to make a call to Panther's GraphQL API. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#listing-log-sources) Listing log sources circle-info Pagination is not currently supported by `sources`—all log sources will be returned in the first page of results. The `cursor` field in the `input` object, below, is a placeholder for when pagination is eventually supported. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#retrieving-a-log-source) Retrieving a log source The input to `source` is the ID of the log source you'd like to fetch. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#deleting-a-log-source) Deleting a log source The input to `deleteSource` is the ID of the log source you'd like to delete. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#creating-an-s3-log-source) Creating an S3 log source circle-info It's also possible to create a S3 log source [using Terraform](https://docs.panther.com/panther-developer-workflows/terraform/s3) , or [manually in the Panther Console](https://docs.panther.com/data-onboarding/data-transports/aws/s3) . circle-exclamation The first log source you create in Panther must be done in the Panther Console. If you use the API to set up your first Panther log source, you may run into a "pending confirmation" issue detailed in [this Knowledge Base articlearrow-up-right](https://help.panther.com/articles/2327494518-why-is-my-sns-topic-stuck-in-a-pending-confirmation-state-for-the-sqs-confirmation-for-panther) . In the example request below, `input` is an object that fully represents your S3 log source. All fields shown are required. The value of `logProcessingRole` is the ARN of an IAM role. When creating this role, take note of [these guidelines](https://docs.panther.com/data-onboarding/data-transports/aws/s3#i-want-to-set-everything-up-on-my-own) , which describe which policies must be attached. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#updating-an-s3-log-source) Updating an S3 log source In the example request below, `input` is an object that fully represents your updated S3 log source. All fields shown are required, as `updateS3Source` replaces all fields of the existing log source (rather than only updating specific fields). [PreviousData Lake Querieschevron-left](https://docs.panther.com/panther-developer-workflows/api/graphql/data-lake-queries) [NextMetricschevron-right](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics) Last updated 12 months ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#overview) * [Required API token permissions](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#required-api-token-permissions) * [Common log source operations](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source#common-log-source-operations) Was this helpful? sun-brightdesktopmoon Copy query ListSources { sources(input: { cursor: "" }) { edges { node { createdAtTime createdBy { ... on User { id } ... on APIToken { id } } integrationId integrationLabel integrationType isEditable isHealthy lastEventProcessedAtTime lastEventReceivedAtTime lastModified logTypes } } pageInfo { endCursor hasNextPage hasPreviousPage startCursor } } } Copy query GetSource { source(id: "bcd45662-bab7-4f99-b69f-083a0212568d") { createdAtTime createdBy { ... on User { id } ... on APIToken { id } } integrationId integrationLabel integrationType isEditable isHealthy lastEventProcessedAtTime lastEventReceivedAtTime lastModified logTypes } } Copy mutation DeleteSource { deleteSource(input: { id: "bcd45662-bab7-4f99-b69f-083a0212568d" }) { id } } Copy mutation CreateS3LogSource { createS3Source( input: { awsAccountId: "0123456789012" label: "My Log Source" logProcessingRole: "arn:aws:iam::0123456789012:role/PantherLogProcessingRole-somerole" logStreamType: JSON managedBucketNotifications: false s3Bucket: "name-of-my-bucket" s3PrefixLogTypes: [\ { excludedPrefixes: [], logTypes: ["AWS.ALB"], prefix: "" }\ ] } ) { logSource { createdAtTime integrationId integrationLabel integrationType isEditable isHealthy lastEventProcessedAtTime lastEventReceivedAtTime lastModified logTypes } } } Copy mutation UpdateS3LogSource { updateS3Source( input: { id: "bcd45662-bab7-4f99-b69f-083a0212568d" label: "My Log Source2" kmsKey: "" logProcessingRole: "arn:aws:iam::0123456789012:role/PantherLogProcessingRole-somerole" logStreamType: JSON managedBucketNotifications: false s3PrefixLogTypes: [\ { excludedPrefixes: [], logTypes: ["AWS.ALB"], prefix: "" }\ ] } ) { logSource { createdAtTime integrationId integrationLabel integrationType isEditable isHealthy lastEventProcessedAtTime lastEventReceivedAtTime lastModified logTypes } } } sun-brightdesktopmoon --- # Metrics | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#overview) Overview ---------------------------------------------------------------------------------------------------------- The Panther API provides the following user metric operations: * Total number of bytes and events that Panther ingested and/or processed over a specific time period * Breakdown of alerts that were generated for each Severity type over a specific time period\\ You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on [Panther API](https://docs.panther.com/panther-developer-workflows/api#step-1-choose-a-method-for-invoking-the-api) . See the sections below for GraphQL queries, mutations, and end-to-end workflow examples around core metrics operations. ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#totalbytesingested-vs.-totalbytesprocessed) `totalBytesIngested` vs. `totalBytesProcessed` The `totalBytesIngested` and `totalBytesProcessed` metrics sound similar, but differ in the following way: * `totalBytesIngested`: the total number of bytes Panther has ingested over the past year (the last 365 days from the current date). * `totalBytesProcessed`: the total number of bytes Panther has ingested within the specific time period defined by your query. [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#common-metrics-operations) Common metrics operations -------------------------------------------------------------------------------------------------------------------------------------------- Below are some of the most common GraphQL metrics operations in Panther. These examples demonstrate the documents you have to send using a GraphQL client (or `curl`) to make a call to Panther's GraphQL API. **Metrics Query** Copy # `GetMetrics` is a nickname for the operation. You can omit any of the # fields/info you're not interested in & only query for what you're after query GetMetrics { metrics(input: { fromDate: "2021-01-01T00:00:00Z" toDate: "2021-12-31T23:59:59Z" }) { alertsPerSeverity { label value breakdown } alertsPerRule { label value entityId } eventsProcessedPerLogType { label value breakdown } bytesProcessedPerSource { label value breakdown } latencyPerLogType { label value } bytesIngestedPerSource { label value } bytesQueriedPerSource { label value breakdown } totalAlerts totalBytesIngested totalBytesProcessed totalBytesQueried totalEventsProcessed } } circle-info The `breakdown` field is only useful for charts that use time as their X-axis. It produces a map of timestamps -> values as a "breakdown" of the `value` field to its constituents. ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#end-to-end-examples) End-to-end examples Below, we build on the operations from the [Common Operations](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#common-metrics-operations) examples to showcase an end-to-end use case flow. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#fetch-panthers-log-metrics) **Fetch Panther's log metrics** Python NodeJS [PreviousLog Source Managementchevron-left](https://docs.panther.com/panther-developer-workflows/api/graphql/log-source) [NextSchemaschevron-right](https://docs.panther.com/panther-developer-workflows/api/graphql/schemas) Last updated 1 year ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#overview) * [totalBytesIngested vs. totalBytesProcessed](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#totalbytesingested-vs.-totalbytesprocessed) * [Common metrics operations](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#common-metrics-operations) * [End-to-end examples](https://docs.panther.com/panther-developer-workflows/api/graphql/metrics#end-to-end-examples) Was this helpful? sun-brightdesktopmoon Copy # pip install gql aiohttp from gql import gql, Client from gql.transport.aiohttp import AIOHTTPTransport transport = AIOHTTPTransport( url="YOUR_PANTHER_API_URL", headers={"X-API-Key": "YOUR_API_KEY"}, ) client = Client(transport=transport, fetch_schema_from_transport=True) get_metrics = gql( """ query GetMetrics($input: MetricsInput!) { metrics(input: $input) { totalAlerts totalEventsProcessed } } """ ) data = client.execute( get_metrics, variable_values= { "input": { "fromDate": "2022-07-01T00:00:00Z", "toDate": "2022-07-31T23:59:59Z", } } ) print(f'In July, Panther processed {data["metrics"]["totalEventsProcessed"]} events and generated {data["metrics"]["totalAlerts"]} alerts') Copy import { GraphQLClient, gql } from "graphql-request"; const client = new GraphQLClient( "YOUR_PANTHER_API_URL", { headers: { "X-API-Key": "YOUR_API_KEY" } } ); const getMetrics = gql` query GetMetrics($input: MetricsInput!) { metrics(input: $input) { totalAlerts totalEventsProcessed } } `; (async () => { try { const data = await client.request(getMetrics, { input: { fromDate: "2022-07-01T00:00:00Z", toDate: "2022-07-31T23:59:59Z" } }); console.log( `In July, Panther processed ${data.metrics.totalEventsProcessed} events and generated ${data.metrics.totalAlerts} alerts.` ); } catch (err) { console.error(err); } })(); sun-brightdesktopmoon --- # Token Rotation | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/token-rotation#overview) Overview ----------------------------------------------------------------------------------------------------------------- You can rotate your Panther API token by calling the `rotateAPIToken` GraphQL API endpoint. You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on [Panther API](https://docs.panther.com/panther-developer-workflows/api#step-1-choose-a-method-for-invoking-the-api) . #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/token-rotation#rotate-an-api-token) Rotate an API token To rotate your Panther API token: 1. Perform the operation below to rotate the token. * Copy mutation rotateAPIToken() { rotateAPIToken() { token{ value } } } * Use the API token you'd like to rotate in the request headers. * The response payload will display the refreshed API token. 2. Copy the refreshed token—it will only be shown this once. #### [hashtag](https://docs.panther.com/panther-developer-workflows/api/graphql/token-rotation#example-in-the-api-playground) Example in the API Playground Performed in the Panther Console's API Playground, `rotateAPIToken` looks like the following: ![The API Playground page in the Console shows a rotateAPIToken call and response. There is a section at the bottom for Request Headers, and on the right a Documentation Explorer.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-a7c0b9b35fd122d7b2567fdcd7974b1e3c040c20%252FScreenshot%25202023-03-21%2520at%252011.04.19%2520AM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=932f2daf&sv=2) [PreviousSchemaschevron-left](https://docs.panther.com/panther-developer-workflows/api/graphql/schemas) [NextUser & Role Managementchevron-right](https://docs.panther.com/panther-developer-workflows/api/graphql/user-management) Last updated 11 months ago Was this helpful? Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # Scheduled Rules | Panther Docs [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#overview) Overview --------------------------------------------------------------------------------------------------------------- Use these API operations to interact with [Scheduled Rules](https://docs.panther.com/detections/rules) in Panther. To call the API, see the [How to use the Panther REST API](https://docs.panther.com/panther-developer-workflows/api/rest#how-to-use-the-panther-rest-api) instructions—including [directions for how to invoke it directly from this documentation page](https://docs.panther.com/panther-developer-workflows/api/rest#step-3-invoke-the-panther-rest-api) . [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#required-permissions) Required permissions --------------------------------------------------------------------------------------------------------------------------------------- * For `GET` operations, your API token must have the `View Rules` permission. * For `POST`, `PUT`, and `DELETE` operations, your API token must have the `Manage Rules` permission. [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#operations) Operations ------------------------------------------------------------------------------------------------------------------- circle-info The below API endpoints are for Scheduled Rules only. To interact with other detection types, see their pages: [Python-based rulesarrow-up-right](https://docs.panther.com/panther-developer-workflows/api/rest/rules) , [Simple Detectionsarrow-up-right](https://docs.panther.com/panther-developer-workflows/api/rest/simple-rules) , and [cloud policiesarrow-up-right](https://docs.panther.com/panther-developer-workflows/api/rest/policies) . ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#post-scheduled-rules) create scheduled rule post https://your-api-host/scheduled-rules Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Query parameters run-tests-firstbooleanOptional set this field to false to exclude running tests prior to saving Default: `true` run-tests-onlybooleanOptional set this field to true if you want to run tests without saving Default: `false` Body application/jsonchevron-down application/json bodystringRequired The python body of the scheduled rule createAlertbooleanOptional Determines whether the scheduled rule should create alerts when it triggers dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the scheduled rule displayNamestringOptional The display name of the scheduled rule enabledbooleanOptional Determines whether or not the scheduled rule is active idstringRequired The id of the scheduled rule managedbooleanOptional Determines if the scheduled rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert scheduledQueriesstring\[\]Optional the queries that this scheduled rule utilizes severitystring · enumRequiredPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the scheduled rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` Responses chevron-right 200 OK response. application/json bodystringOptional The python body of the scheduled rule createAlertbooleanOptional Determines whether the scheduled rule should create alerts when it triggers createdAtstringOptional createdByobjectOptional The actor who created the rule Show propertiesplus createdByExternalstringOptional The text of the user-provided CreatedBy field when uploaded via CI/CD dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the scheduled rule displayNamestringOptional The display name of the scheduled rule enabledbooleanOptional Determines whether or not the scheduled rule is active idstringOptional The id of the scheduled rule lastModifiedstringOptional managedbooleanOptional Determines if the scheduled rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert scheduledQueriesstring\[\]Optional the queries that this scheduled rule utilizes severitystring · enumOptionalPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the scheduled rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` chevron-right 204 No Content response. chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 409 exists: Conflict response. application/json post /scheduled-rules HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#get-scheduled-rules-id) get scheduled rule get https://your-api-host/scheduled-rules/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the rule to fetch Responses chevron-right 200 OK response. application/json bodystringOptional The python body of the scheduled rule createAlertbooleanOptional Determines whether the scheduled rule should create alerts when it triggers createdAtstringOptional createdByobjectOptional The actor who created the rule Show propertiesplus createdByExternalstringOptional The text of the user-provided CreatedBy field when uploaded via CI/CD dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the scheduled rule displayNamestringOptional The display name of the scheduled rule enabledbooleanOptional Determines whether or not the scheduled rule is active idstringOptional The id of the scheduled rule lastModifiedstringOptional managedbooleanOptional Determines if the scheduled rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert scheduledQueriesstring\[\]Optional the queries that this scheduled rule utilizes severitystring · enumOptionalPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the scheduled rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` chevron-right 404 not\_found: Not Found response. application/json get /scheduled-rules/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#put-scheduled-rules-id) put scheduled rule put https://your-api-host/scheduled-rules/{id} put creates or updates a scheduled rule Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired the id of the scheduled rule Query parameters run-tests-firstbooleanOptional set this field to false to exclude running tests prior to saving Default: `true` run-tests-onlybooleanOptional set this field to true if you want to run tests without saving Default: `false` Body application/jsonchevron-down application/json bodystringRequired The python body of the scheduled rule createAlertbooleanOptional Determines whether the scheduled rule should create alerts when it triggers dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the scheduled rule displayNamestringOptional The display name of the scheduled rule enabledbooleanOptional Determines whether or not the scheduled rule is active idstringRequired The id of the scheduled rule managedbooleanOptional Determines if the scheduled rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert scheduledQueriesstring\[\]Optional the queries that this scheduled rule utilizes severitystring · enumRequiredPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the scheduled rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` Responses chevron-right 200 200 returned if the item already existed application/json bodystringOptional The python body of the scheduled rule createAlertbooleanOptional Determines whether the scheduled rule should create alerts when it triggers createdAtstringOptional createdByobjectOptional The actor who created the rule Show propertiesplus createdByExternalstringOptional The text of the user-provided CreatedBy field when uploaded via CI/CD dedupPeriodMinutesinteger · int64 · min: 1Optional The amount of time in minutes for grouping alerts Default: `60` descriptionstringOptional The description of the scheduled rule displayNamestringOptional The display name of the scheduled rule enabledbooleanOptional Determines whether or not the scheduled rule is active idstringOptional The id of the scheduled rule lastModifiedstringOptional managedbooleanOptional Determines if the scheduled rule is managed by panther outputIDsstring\[\]Optional Destination IDs that override default alert routing based on severity reportsobjectOptional reports Show propertiesplus runbookstringOptional How to handle the generated alert scheduledQueriesstring\[\]Optional the queries that this scheduled rule utilizes severitystring · enumOptionalPossible values: `INFO``LOW``MEDIUM``HIGH``CRITICAL` summaryAttributesstring\[\]Optional A list of fields in the event to create top 5 summaries for tagsstring\[\]Optional The tags for the scheduled rule testsobject\[\]Optional Unit tests for the Rule. Best practice is to include a positive and negative case Show propertiesplus thresholdinteger · int64 · min: 1Optional the number of events that must match before an alert is triggered Default: `1` chevron-right 201 201 returned if the item was created application/json chevron-right 204 No Content response. chevron-right 400 bad\_request: Bad Request response. application/json put /scheduled-rules/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 200 returned if the item already existed chevron-down ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#delete-scheduled-rules-id) delete scheduled rule delete https://your-api-host/scheduled-rules/{id} Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Path parameters idstringRequired ID of the rule to delete Responses chevron-right 204 No Content response. chevron-right 400 bad\_request: Bad Request response. application/json chevron-right 404 not\_found: Not Found response. application/json delete /scheduled-rules/{id} HTTPchevron-down HTTPcURLJavaScriptPython Test it 204 No Content response. chevron-down No content ### [hashtag](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#get-scheduled-rules) list scheduled rules get https://your-api-host/scheduled-rules Authorizations ApiKeyAuthchevron-down ApiKeyAuth X-API-KeystringRequired Query parameters cursorstringOptional the pagination token limitinteger · int64Optional the maximum results to return Default: `100` name-containsstringOptional Substring search by name (case-insensitive) statestring · enumOptional Only include rules in the given state Possible values: `enabled``disabled` scheduled-querystring\[\]Optional Only include rules which apply to one of these scheduled queries severitystring · enum\[\]Optional Only include rules with one of the given severities Show propertiesplus tagstring\[\]Optional Only include rules with one of the given tags (case-insensitive) created-bystringOptional Only include rules whose creator matches this user ID or actor ID last-modified-bystringOptional Only include rules last modified by this user ID or actor ID Responses chevron-right 200 OK response. application/json nextstringOptional pagination token for the next page of results resultsobject\[\]Optional Show propertiesplus get /scheduled-rules HTTPchevron-down HTTPcURLJavaScriptPython Test it 200 OK response. [PreviousRuleschevron-left](https://docs.panther.com/panther-developer-workflows/api/rest/rules) [NextSimple Ruleschevron-right](https://docs.panther.com/panther-developer-workflows/api/rest/simple-rules) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#overview) * [Required permissions](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#required-permissions) * [Operations](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#operations) * [POSTcreate scheduled rule](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#post-scheduled-rules) * [GETget scheduled rule](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#get-scheduled-rules-id) * [PUTput scheduled rule](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#put-scheduled-rules-id) * [DELETEdelete scheduled rule](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#delete-scheduled-rules-id) * [GETlist scheduled rules](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules#get-scheduled-rules) Was this helpful? sun-brightdesktopmoon Copy POST /scheduled-rules HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 443 { "body": "text", "createAlert": true, "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "scheduledQueries": [\ "text"\ ], "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy { "body": "text", "createAlert": true, "createdAt": "text", "createdBy": { "id": "user", "type": "text" }, "createdByExternal": "text", "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "lastModified": "text", "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "scheduledQueries": [\ "text"\ ], "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy GET /scheduled-rules/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "body": "text", "createAlert": true, "createdAt": "text", "createdBy": { "id": "user", "type": "text" }, "createdByExternal": "text", "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "lastModified": "text", "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "scheduledQueries": [\ "text"\ ], "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy PUT /scheduled-rules/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: */* Content-Length: 443 { "body": "text", "createAlert": true, "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "scheduledQueries": [\ "text"\ ], "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy { "body": "text", "createAlert": true, "createdAt": "text", "createdBy": { "id": "user", "type": "text" }, "createdByExternal": "text", "dedupPeriodMinutes": 60, "description": "text", "displayName": "text", "enabled": true, "id": "text", "lastModified": "text", "managed": true, "outputIDs": [\ "text"\ ], "reports": { "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ] }, "runbook": "text", "scheduledQueries": [\ "text"\ ], "severity": "INFO", "summaryAttributes": [\ "text"\ ], "tags": [\ "text"\ ], "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ], "threshold": 1 } Copy DELETE /scheduled-rules/{id} HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy GET /scheduled-rules HTTP/1.1 Host: your-api-host X-API-Key: YOUR_API_KEY Accept: */* Copy { "next": "text", "results": [\ {\ "body": "text",\ "createAlert": true,\ "createdAt": "text",\ "createdBy": {\ "id": "user",\ "type": "text"\ },\ "createdByExternal": "text",\ "dedupPeriodMinutes": 60,\ "description": "text",\ "displayName": "text",\ "enabled": true,\ "id": "text",\ "lastModified": "text",\ "managed": true,\ "outputIDs": [\ "text"\ ],\ "reports": {\ "ANY_ADDITIONAL_PROPERTY": [\ "text"\ ]\ },\ "runbook": "text",\ "scheduledQueries": [\ "text"\ ],\ "severity": "INFO",\ "summaryAttributes": [\ "text"\ ],\ "tags": [\ "text"\ ],\ "tests": [\ {\ "expectedResult": true,\ "mocks": [\ {\ "ANY_ADDITIONAL_PROPERTY": "text"\ }\ ],\ "name": "text",\ "resource": "text"\ }\ ],\ "threshold": 1\ }\ ] } sun-brightdesktopmoon --- # Onboarding Guide | Panther Docs [hashtag](https://docs.panther.com/quick-start/onboarding-guide#overview) Overview --------------------------------------------------------------------------------------- Onboarding in Panther includes setting up log sources, detections, and alert destinations, as well as familiarizing yourself with search tools and optionally enabling enrichment capabilities. This guide explains how to complete each of these tasks. If you need help while onboarding, please reach out to your Panther support team. [hashtag](https://docs.panther.com/quick-start/onboarding-guide#prerequisite) Prerequisite ----------------------------------------------------------------------------------------------- * You have successfully logged in to your Panther Console. [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-1-onboard-log-sources) Step 1: Onboard log sources ---------------------------------------------------------------------------------------------------------------------------- The first step in configuring your Panther environment is to onboard log sources, which provide data to Panther to analyze and store. After identifying valuable sources, you'll onboard each one. ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-1.1-identify-log-sources-to-onboard) Step 1.1: Identify log sources to onboard Consider the log-emitting systems in your environment that you'd like to monitor for security. It's recommended to onboard enough sources to come close to your allowed ingest volume. You can use [log filtering](https://docs.panther.com/data-onboarding/ingestion-filters) if you would only like to ingest _some_ logs from a certain source into Panther. If you need some ideas of where to get started, review the [Supported Logs](https://docs.panther.com/data-onboarding/supported-logs) list. You can also onboard completely [custom sourcesarrow-up-right](https://docs.panther.com/data-onboarding/custom-log-types) . ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-1.2-onboard-each-log-source) Step 1.2: Onboard each log source For each of the log sources you've identified as wanting to ingest: * If the log source is one of Panther's [supported sources](https://docs.panther.com/quick-start/onboarding-guide#supported-logs) , onboard it by following the instructions on its documentation page. * If the log source is not one of Panther's [supported sources](https://docs.panther.com/quick-start/onboarding-guide#supported-logs) : circle-info If the source is high-volume (emits at least one GB per hour) and/or its [payload size exceeds the HTTP payload limit](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements) , skip to the next step. 1. If the source is able to emit event webhooks: 1. Onboard the source by following the [HTTP Source creation instructions](https://docs.panther.com/data-onboarding/data-transports/http#how-to-set-up-an-http-log-source-in-panther) . 2. Follow the [instructions to infer a custom schema from HTTP data received in Panther](https://docs.panther.com/data-onboarding/custom-log-types#http-data-received-in-panther) . 2. If the source is not able to emit event webhooks but can export events to an S3 bucket: 1. Onboard the source by following the [S3 Source creation instructions](https://docs.panther.com/data-onboarding/data-transports/aws/s3#how-to-pull-logs-from-aws-s3-buckets-into-panther) . 2. Follow the instructions to infer a custom schema in one of the following ways: * [From S3 data received in Panther](https://docs.panther.com/data-onboarding/custom-log-types#s3-data-received-in-panther) * [From historical S3 data](https://docs.panther.com/data-onboarding/custom-log-types#historical-s3-data) 3. If the source is not able to emit event webhooks nor export events to an S3 bucket, but can export events to one of the other [Data Transport](https://docs.panther.com/data-onboarding/data-transports) locations Panther can pull from, e.g., [Google Cloud Storage](https://docs.panther.com/data-onboarding/data-transports/google) or [Azure Blob Storage](https://docs.panther.com/data-onboarding/data-transports/azure/blob-storage) : 1. Define a custom schema in one of the following ways: * [Inferring from sample logs in the Console](https://docs.panther.com/data-onboarding/custom-log-types#sample-logs) * [Inferring using pantherlog `infer`](https://docs.panther.com/panther-developer-workflows/pantherlog#infer-generate-a-schema-from-json-log-samples) * [Creating one manually in the Console](https://docs.panther.com/data-onboarding/custom-log-types#manually) 2. Onboard the source by following the instructions within the [documentation for your chosen Data Transport](https://docs.panther.com/data-onboarding/data-transports) . 4. If the source is not able to emit event webhooks nor export events to any of Panther's [Data Transport](https://docs.panther.com/data-onboarding/data-transports) sources, see Panther's [Data Pipeline Tools](https://docs.panther.com/data-onboarding/data-pipeline-tools) guides or reach out to your Panther support team for assistance in connecting your data to Panther. These Step 1.2 instructions are also represented in the flow chart below: ![This flow chart diagram shows how to onboard a given log source depending on characteristics of the source, like whether it can emit webhook events or export events to S3.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-8d3139a28caac4ea5532c3e83dfddcf4af5bd265%252F10.18.23_log_source_onboarding_flowchart.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=7b3019c9&sv=2) ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#optional-step-1.3-onboard-aws-account-s-for-cloud-security-scanning) (Optional) Step 1.3: Onboard AWS account(s) for Cloud Security Scanning If you use AWS as a cloud provider, you can use Panther's [Cloud Security Scanning](https://docs.panther.com/cloud-scanning) feature to monitor the configurations of your cloud resources. * If you'd like to use Cloud Security Scanning, [onboard one or more AWS accounts by following these instructions](https://docs.panther.com/cloud-scanning#onboarding-a-cloud-account-in-the-panther-console) . circle-info **Log sources: Go further** * Learn how to [monitor the health of your log sources](https://docs.panther.com/data-onboarding/monitoring-log-sources) . * Learn about [field discovery](https://docs.panther.com/data-onboarding/field-discovery) . * If you created any [custom schemas](https://docs.panther.com/data-onboarding/custom-log-types#how-to-define-a-custom-schema) , designate fields as [Indicator Fields](https://docs.panther.com/search/panther-fields#indicator-fields) to enable cross-log search and detections. [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-2-create-or-enable-detections) Step 2: Create or enable detections -------------------------------------------------------------------------------------------------------------------------------------------- Now that your data is flowing into Panther, it's time to configure detections. First, you'll choose whether to manage detection content in the Panther Console or CLI workflow. Then, for each source, you'll enable Panther-managed detections or create your own. After you have created or enabled detections, alerts for matches will be visible in your Panther Console and queryable via the Panther API—but you will not receive alerts in external applications until you complete the [next step](https://docs.panther.com/quick-start/onboarding-guide#step-3-configure-alert-destinations) , to set up alert destinations. ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-2.1-choose-the-console-or-cli-workflow-for-detection-management) Step 2.1: Choose the Console or CLI workflow for detection management Decide whether you'd like to manage detection content in the Panther Console or in the CLI workflow (performing uploads using the [Panther Analysis Tool \[PAT\]](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) , perhaps in a [CI/CD](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) pipeline). Detection content includes detection packs and individual detections (rules, scheduled rules, and policies), as well as data models, global helpers, lookup tables, saved searches, and scheduled searches. Managing detection content in both the Console and CLI workflows is unsupported. You might choose to use the CLI workflow if your team is comfortable using git, command line tools, and CI/CD pipelines. Otherwise, it's recommended to use the Panther Console. circle-info Panther's [Simple Detections](https://docs.panther.com/detections#simple-detections) functionality aims to eventually integrate the Console and CLI workflows. Currently, if your team uses the CLI workflow to manage detection content, the changes made to detections using the [Simple Detection builder](https://docs.panther.com/detections/rules/simple-detection-builder) in the Console will still be overwritten on next upload (except for [Inline Filters](https://docs.panther.com/detections/rules/inline-filters) created in the Console, which will be preserved). ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-2.2-create-or-enable-rules-and-scheduled-rules-for-each-log-source) Step 2.2: Create or enable rules and scheduled rules for each log source For each log source you onboarded to Panther in the previous step, you will enable Panther-managed detections or create your own. If the source is one of Panther's [Supported Logs](https://docs.panther.com/data-onboarding/supported-logs) , follow the [Supported logs section below](https://docs.panther.com/quick-start/onboarding-guide#supported-logs) . Otherwise, follow the [Custom logs section](https://docs.panther.com/quick-start/onboarding-guide#custom-logs) . #### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#supported-logs) Supported logs * If the source is one of Panther's [Supported Logs](https://docs.panther.com/data-onboarding/supported-logs) : * Enable a Panther-managed Detection Pack for the source. See the instructions below for enabling a Detection Pack in the Panther Console and in the CLI workflow. * If you already enabled a Detection Pack for this log source during onboarding (on the final "Success!" page), move on to the next log source. Console CLI **Enable a Panther-managed Detection Pack in the Console** * Follow [these instructions to enable a Panther-managed Detection Packarrow-up-right](https://docs.panther.com/detections/panther-managed/packs#enabling-and-disabling-detection-packs) for the source. Go further: * Learn [how to customize a Panther-managed detection](https://docs.panther.com/detections/panther-managed#how-to-customize-a-panther-managed-detection) . * Create additional, custom detections for this source. **Enable a Panther-managed Detection Pack in the CLI workflow** 1. If you have not done so already, [follow these instructionsarrow-up-right](https://docs.panther.com/panther-developer-workflows/ci-cd/detections-repo) to clone or fork the [panther-analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/master) of detections. 2. Within the [rules directory of your copy of the panther-analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/master/rules) , locate the directory for this source, which contains Panther-managed rules and (possibly) scheduled rules. 3. For each Panther-managed rule and scheduled rule that you would like to enable, in the detection's corresponding YAML file, set: 4. If there are any rules or scheduled rules in the source's directory that you would not like enabled, in the detection's corresponding YAML file, set: 5. Upload your detections to Panther manually using [PAT](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) , or [configure your CI/CD pipeline](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) to upload detection content with PAT. Go further: * Create additional, custom detections for this source. #### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#custom-logs) Custom logs * If the source is a custom log source: * Create your own detections. See the instructions below for creating detections in the Panther Console and in the CLI workflow. While creating detections: * Consider leveraging Panther-managed [helper functions](https://docs.panther.com/detections/rules/python/globals) , or creating your own. * Create [tests](https://docs.panther.com/detections/testing) . Console CLI **Create rules and scheduled rules in the Console** * Create one or more rules for the log source. * [To create a Python rule, follow these instructions](https://docs.panther.com/detections/rules/python#creating-a-rule-in-python-in-the-console) . * [To use the Simple Detection builder, follow these instructions.](https://docs.panther.com/detections/rules/simple-detection-builder#how-to-create-a-rule-in-the-simple-detection-builder) * If necessary, create one or more Scheduled Rules for the log source by [following these instructions](https://docs.panther.com/detections/rules/python#creating-a-scheduled-rule-in-python-in-the-console) . **Create rules and scheduled rules in the CLI workflow** 1. If you have not done so already, [follow these instructionsarrow-up-right](https://docs.panther.com/panther-developer-workflows/ci-cd/detections-repo) to clone or fork the [panther-analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/master) of Python detections. 2. Write one or more rules for the log source: * [To write a Python rule, follow these instructions](https://docs.panther.com/detections/rules/python#creating-a-rule-in-python-in-the-cli-workflow) . * [To write a Simple Detection rule, follow these instructions](https://docs.panther.com/detections/rules/writing-simple-detections#how-to-create-a-simple-detection-rule-in-yaml) . 3. If necessary, write one or more Scheduled Rules for the log source by [following these instructions](https://docs.panther.com/detections/rules/python#creating-a-scheduled-rule-in-python-in-the-cli-workflow) . 4. Upload your detections to Panther manually using [PAT](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) , or [configure your CI/CD pipeline](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) to upload detection content with PAT. ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#optional-step-2.3-create-or-enable-policies-for-each-cloud-security-scanning-account) (Optional) Step 2.3: Create or enable policies for each Cloud Security Scanning account If you onboarded one or more AWS accounts for [Cloud Security Scanning](https://docs.panther.com/cloud-scanning) , enable Panther-managed policies, or create your own. Console CLI **Enable Panther-managed Policies in the Console** * Enable the [Panther Core AWS Packarrow-up-right](https://github.com/panther-labs/panther-analysis/blob/13e49e6589b1160928ec85678884da0e72e986f3/packs/aws.yml) in the Panther Console. Note that in addition to Policies, this pack includes rules, helpers, and data models. * [See instructions for enabling Packs in the Console here](https://docs.panther.com/detections/panther-managed/packs#enabling-and-disabling-detection-packs) . **Create Policies in the Console** * To create Policies in the Console, [follow these instructions](https://docs.panther.com/detections/policies#how-to-write-policies-in-the-panther-console) . **Enable Panther-managed Policies in the CLI workflow** * If you have not done so already, [follow these instructionsarrow-up-right](https://docs.panther.com/panther-developer-workflows/ci-cd/detections-repo) to clone or fork the [panther-analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/master) of Python detections. * Within the [policies directory of your copy of the panther-analysis repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/master/policies) , identify the directories of interest to you, i.e., the directories covering AWS resources you are interested in monitoring. * In each directory of interest, for each Panther-managed policy that you would like to enable, set the following in the detection's corresponding YAML file: * In each directory of interest, if there are any policies in the directory that you would not like enabled, set the following in the detection's corresponding YAML file: * Upload your detections to Panther manually using [PAT](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) , or [configure your CI/CD pipeline](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) to upload detection content with PAT. **Create Policies in the CLI workflow** * To write Policies in the CLI workflow, [follow these instructions](https://docs.panther.com/detections/policies#how-to-write-a-policy) . circle-info **Detections: Go further** * If you are using the CLI workflow, [configure your CI/CD pipeline to upload to Panther](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd) . * Use [Data Replay](https://docs.panther.com/detections/testing/data-replay) to check that your detections match when expected. * If you onboarded an AWS account for Cloud Security Scanning, set up [real-time monitoring](https://docs.panther.com/cloud-scanning#real-time-monitoring) . [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-3-configure-alert-destinations) Step 3: Configure alert destinations ---------------------------------------------------------------------------------------------------------------------------------------------- Set up [alert destinations](https://docs.panther.com/alerts/destinations) to receive alerts in locations outside of your Panther Console. ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-3.1-identify-where-you-want-to-receive-panther-alerts) Step 3.1: Identify where you want to receive Panther alerts Where is the best place for your team to receive Panther alerts? Does it make sense to configure multiple destinations, and route alerts of different [severities](https://docs.panther.com/detections/rules#alert-severity) to different locations? If you need some ideas to get started, check out the list of supported destinations on the [Alert Destinations](https://docs.panther.com/alerts/destinations) page. You can also create [custom destinationsarrow-up-right](https://docs.panther.com/alerts/destinations#setting-up-destinations-that-are-not-natively-supported) . ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-3.2-set-up-destinations) Step 3.2: Set up destinations For each alert destination you'd like to set up: * If the destination is one of the [destinations natively supported by Panther](https://docs.panther.com/alerts/destinations) , follow the setup instructions specific to that destination. * If the destination is not natively supported by Panther: * If the destination can receive HTTP `POST` requests containing a `JSON` payload, follow the [instructions to use a Custom Webhook Destination](https://docs.panther.com/alerts/destinations/custom_webhook) . * Alternatively, consider polling the Panther API for new alerts on a schedule. [Learn more about this option here](https://docs.panther.com/alerts/destinations#panther-api) . ### [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-3.3-ensure-at-least-one-destination-is-receiving-system-errors) Step 3.3: Ensure at least one destination is receiving System Errors System Errors notify users when some part of their Panther workflow is not functioning correctly, such as log sources turning unhealthy or alerts failing to deliver. Learn more about System Errors on [System Health Notifications](https://docs.panther.com/system-configuration/notifications/system-errors) . When setting up each alert destination, you'll select the **Alert Types** sent to that destination, shown below. It's strongly recommended to configure at least one alert destination to receive System Errors. ![](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-ab3089cbe46e46226afbfc9a150b25ace815516b%252FScreenshot%25202023-09-25%2520at%25201.45.30%2520PM.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=71f051b0&sv=2) circle-info **Alert destinations: Go further** * Learn how to triage alerts in Panther on [Assigning and Managing Alerts](https://docs.panther.com/alerts/alert-management) . [hashtag](https://docs.panther.com/quick-start/onboarding-guide#step-4-learn-how-to-use-search-tools) Step 4: Learn how to use search tools ------------------------------------------------------------------------------------------------------------------------------------------------ Before it's time to investigate a security incident, you'll want to be comfortable using Panther's [search tools](https://docs.panther.com/search) . * Practice creating filters and executing a search in the [Search](https://docs.panther.com/search/search-tool) tool. * If you are comfortable writing SQL, practice running queries in [Data Explorer](https://docs.panther.com/search/data-explorer) . * See example queries in [Data Explorer SQL Search Examples](https://docs.panther.com/search/data-explorer/example-queries) . circle-info **Search: Go further** * [Create a Scheduled Search](https://docs.panther.com/search/scheduled-searches#how-to-create-a-scheduled-search) , on top of which you can create a [Scheduled Rule](https://docs.panther.com/detections/rules#how-to-write-scheduled-rules) . [hashtag](https://docs.panther.com/quick-start/onboarding-guide#optional-step-5-set-up-enrichment) (Optional) Step 5: Set up Enrichment -------------------------------------------------------------------------------------------------------------------------------------------- Panther's [Enrichment](https://docs.panther.com/enrichment) features can add useful context to log events, enabling you to write higher fidelity detections and generate more informative alerts. These features include: * Panther-managed enrichments like [IPinfo](https://docs.panther.com/enrichment/ipinfo) , [Tor Exit Nodes](https://docs.panther.com/enrichment/tor-exit-nodes) , and [Anomali ThreatStream](https://docs.panther.com/enrichment/anomali-threatstream) * Log source pullers such as [Google Workspace Profiles](https://docs.panther.com/enrichment/google-workspace) and [Okta Profiles](https://docs.panther.com/enrichment/okta) * [Custom enrichments](https://docs.panther.com/enrichment/custom) containing your own data For each of the above features, determine whether you would like to enable them, and if so, follow the set up instructions on their respective pages. [PreviousQuick Startchevron-left](https://docs.panther.com/quick-start) [NextData Sources & Transportschevron-right](https://docs.panther.com/data-onboarding) Last updated 3 months ago Was this helpful? * [Overview](https://docs.panther.com/quick-start/onboarding-guide#overview) * [Prerequisite](https://docs.panther.com/quick-start/onboarding-guide#prerequisite) * [Step 1: Onboard log sources](https://docs.panther.com/quick-start/onboarding-guide#step-1-onboard-log-sources) * [Step 1.1: Identify log sources to onboard](https://docs.panther.com/quick-start/onboarding-guide#step-1.1-identify-log-sources-to-onboard) * [Step 1.2: Onboard each log source](https://docs.panther.com/quick-start/onboarding-guide#step-1.2-onboard-each-log-source) * [(Optional) Step 1.3: Onboard AWS account(s) for Cloud Security Scanning](https://docs.panther.com/quick-start/onboarding-guide#optional-step-1.3-onboard-aws-account-s-for-cloud-security-scanning) * [Step 2: Create or enable detections](https://docs.panther.com/quick-start/onboarding-guide#step-2-create-or-enable-detections) * [Step 2.1: Choose the Console or CLI workflow for detection management](https://docs.panther.com/quick-start/onboarding-guide#step-2.1-choose-the-console-or-cli-workflow-for-detection-management) * [Step 2.2: Create or enable rules and scheduled rules for each log source](https://docs.panther.com/quick-start/onboarding-guide#step-2.2-create-or-enable-rules-and-scheduled-rules-for-each-log-source) * [(Optional) Step 2.3: Create or enable policies for each Cloud Security Scanning account](https://docs.panther.com/quick-start/onboarding-guide#optional-step-2.3-create-or-enable-policies-for-each-cloud-security-scanning-account) * [Step 3: Configure alert destinations](https://docs.panther.com/quick-start/onboarding-guide#step-3-configure-alert-destinations) * [Step 3.1: Identify where you want to receive Panther alerts](https://docs.panther.com/quick-start/onboarding-guide#step-3.1-identify-where-you-want-to-receive-panther-alerts) * [Step 3.2: Set up destinations](https://docs.panther.com/quick-start/onboarding-guide#step-3.2-set-up-destinations) * [Step 3.3: Ensure at least one destination is receiving System Errors](https://docs.panther.com/quick-start/onboarding-guide#step-3.3-ensure-at-least-one-destination-is-receiving-system-errors) * [Step 4: Learn how to use search tools](https://docs.panther.com/quick-start/onboarding-guide#step-4-learn-how-to-use-search-tools) * [(Optional) Step 5: Set up Enrichment](https://docs.panther.com/quick-start/onboarding-guide#optional-step-5-set-up-enrichment) Was this helpful? sun-brightdesktopmoon Copy Enabled: True Copy Enabled: False Copy Enabled: True Copy Enabled: False sun-brightdesktopmoon --- # Email Protection | Cloudflare Please enable cookies. Email Protection ================ You are unable to access this email address docs.panther.com ------------------------------------------------------------ The website from which you got to this page is protected by Cloudflare. Email addresses on that page have been hidden in order to keep them from being accessed by malicious bots. **You must enable Javascript in your browser in order to decode the e-mail address**. If you have a website and are interested in protecting it in a similar way, you can [sign up for Cloudflare](https://www.cloudflare.com/sign-up?utm_source=email_protection) . * [How does Cloudflare protect email addresses on website from spammers?](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) * [Can I sign up for Cloudflare?](https://developers.cloudflare.com/fundamentals/setup/account/create-account/) Cloudflare Ray ID: **9d9958fc0c80379e** • Your IP: Click to reveal 54.237.218.47 • Performance & security by [Cloudflare](https://www.cloudflare.com/5xx-error-landing) --- # Legal | Panther Docs [hashtag](https://docs.panther.com/resources/help/legal#overview) Overview ------------------------------------------------------------------------------- Panther utilizes third-party software and services (including plug-ins and extensions) in the development of our Services and Software. Some third-party terms applicable to our use of certain third-party software are available below, in [Third-party softare licensesarrow-up-right](https://docs.panther.com/~/changes/2402/resources/help/legal#third-party-software-licenses) . Panther also has [features that use Artificial Intelligence (AI)](https://docs.panther.com/ai) . These features are subject to the [AI disclaimer](https://docs.panther.com/resources/help/legal#ai-disclaimer) , below. If you are looking for information on our Terms of Service and Privacy Policy, please see the [Terms of Service page on panther.comarrow-up-right](https://panther.com/terms-of-service/) . [hashtag](https://docs.panther.com/resources/help/legal#ai-disclaimer) AI disclaimer ----------------------------------------------------------------------------------------- AI features in Panther are currently provided through a third party vendor. If you are using these features, you agree to the third party vendor terms and conditions regarding AI-generated content. If you do not agree to such terms, please do not use these features. AI-generated content may contain errors, omissions, inaccuracies, incorrect statements, and outdated information that may adversely affect your use of the Services. Furthermore, it may lack the same depth of detail and accuracy that can be provided by knowledgeable humans. Therefore, we cannot guarantee the accuracy of any AI-generated content. AI features are provided "AS IS", without any warranty or representation. Panther disclaims all liability related to the use of AI. We are not responsible for any consequences resulting from your reliance upon such AI-generated content. You should always use appropriate caution and consult with an expert before relying on automated information or making decisions based on AI-generated content. [hashtag](https://docs.panther.com/resources/help/legal#third-party-software-licenses) Third-party software licenses ------------------------------------------------------------------------------------------------------------------------- [starlark-goarrow-up-right](https://github.com/google/starlark-go/blob/master/LICENSE) : file-pdf 29KB [starlark-go license.pdf](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-824b0c0c6bf915716a78079f49e15a34b3f6d749%2Fstarlark-go%20license.pdf?alt=media&token=33ef1773-b740-437f-93f2-a3a112f68916) PDF downloadDownload[arrow-up-right-from-squareOpen](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-824b0c0c6bf915716a78079f49e15a34b3f6d749%2Fstarlark-go%20license.pdf?alt=media&token=33ef1773-b740-437f-93f2-a3a112f68916) [PreviousGlossarychevron-left](https://docs.panther.com/resources/help/glossary) [NextPanther System Architecturechevron-right](https://docs.panther.com/resources/panther-architecture) Last updated 11 months ago Was this helpful? * [Overview](https://docs.panther.com/resources/help/legal#overview) * [AI disclaimer](https://docs.panther.com/resources/help/legal#ai-disclaimer) * [Third-party software licenses](https://docs.panther.com/resources/help/legal#third-party-software-licenses) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon --- # MISP Warning Lists | Panther Docs [hashtag](https://docs.panther.com/enrichment/misp#overview) Overview -------------------------------------------------------------------------- You can use Malware Information Sharing Platform (MISP) warning lists as an enrichment source in Panther. MISP warning lists are collections of known, non-malicious indicators that can be associated to potential false positives or errors in threat intelligence. This context can help you evaluate the relevance and validity of Indicators of Compromise (IoCs). The [`misp-warninglists` repository on GitHubarrow-up-right](https://github.com/MISP/misp-warninglists) contains a comprehensive collection of these lists. Learn how to [view stored enrichment data here](https://docs.panther.com/enrichment#viewing-and-managing-enrichments) , and how to [view log events with enrichment data here](https://docs.panther.com/enrichment#viewing-log-events-with-enrichment-data) . [hashtag](https://docs.panther.com/enrichment/misp#how-misp-enrichment-works) How MISP enrichment works ------------------------------------------------------------------------------------------------------------ When MISP warning lists enrichment is enabled: 1. If an incoming log has the `p_any_ip_addresses` field, each value contained within will be checked against all MISP warning lists where `"type": "cidr"`. 2. If an IP address in `p_any_ip_addresses` appears in any `cidr` MISP warning lists, a `misp_warning_lists` object will be added in the log's `p_enrichment` object. * See an [example of an event enriched with MISP warning list data below](https://docs.panther.com/enrichment/misp#example-event-enriched-with-misp-warning-lists-data) . [hashtag](https://docs.panther.com/enrichment/misp#setting-up-misp-warning-lists-enrichment) Setting up MISP warning lists enrichment ------------------------------------------------------------------------------------------------------------------------------------------ Console CLI **How to set up MISP warning lists enrichment in the Panther Console** 1. In the left-hand navigation bar in your Panther Console, click **Detections**. 2. Click the **Packs** tab. 3. Search for "MISP," and on the **MISP Warning Lists Lookup Tables** tile, click the **Enabled** toggle `ON`. 4. In the pop-up confirmation modal, click **Continue**. 5. To verify the Enrichment is enabled, from the left sidebar menu, click **Configure** > **Enrichments.** * On this page, you can see all enrichment sources, whether each source is currently enabled or disabled, and when a source’s data was last refreshed. **How to set up MISP Warning Lists enrichment in the CLI workflow** * To set up MISP warning lists enrichment in the CLI workflow, follow the instructions for Panther-managed enrichment sources on [Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool](https://docs.panther.com/panther-developer-workflows/detections-repo/pat/managing-enrichment) . Take note that: * CLI users do not need to use Detection Packs to get MISP warning lists enrichment tables. You can pull in the latest release of [`panther-analysis`arrow-up-right](https://github.com/panther-labs/panther-analysis) and use the [`panther_analysis_tool` (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat) to upload the MISP warning lists enrichment tables. * To enable the MISP warning lists tables using the [`panther-analysis`arrow-up-right](https://github.com/panther-labs/panther-analysis) repository, make sure to open each corresponding YAML configuration file and set `enabled: true`. * It is possible for CLI users to enable MISP warning lists enrichment via Detection Packs (as is shown in the **Console** tab), as long as you do not customize the MISP warning lists tables using PAT. * If you choose to manage MISP warning lists enrichment through PAT after enabling it in the Panther Console, you must first disable the Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage MISP warning lists is not supported. * For more information on how to manage MISP warning lists enrichment, please see the [MISP files in the `panther-analysis` GitHub repositoryarrow-up-right](https://github.com/panther-labs/panther-analysis/tree/main/lookup_tables/misp) . [hashtag](https://docs.panther.com/enrichment/misp#example-event-enriched-with-misp-warning-lists-data) Example event enriched with MISP warning lists data ---------------------------------------------------------------------------------------------------------------------------------------------------------------- Below is a [`Snowflake.LoginHistory`](https://docs.panther.com/data-onboarding/supported-logs/snowflake#snowflake.loginhistory) log enriched with MISP data. The `misp_warning_lists` object within `p_enrichment` contains additional information about an IP address found in the `p_any_ip_adresses` field. [PreviousIPinfochevron-left](https://docs.panther.com/enrichment/ipinfo) [NextOkta Profileschevron-right](https://docs.panther.com/enrichment/okta) Last updated 1 month ago Was this helpful? * [Overview](https://docs.panther.com/enrichment/misp#overview) * [How MISP enrichment works](https://docs.panther.com/enrichment/misp#how-misp-enrichment-works) * [Setting up MISP warning lists enrichment](https://docs.panther.com/enrichment/misp#setting-up-misp-warning-lists-enrichment) * [Example event enriched with MISP warning lists data](https://docs.panther.com/enrichment/misp#example-event-enriched-with-misp-warning-lists-data) Was this helpful? sun-brightdesktopmoon Copy { "p_enrichment": { "misp_warning_lists": { "p_any_ip_addresses": [\ {\ "cidr": "35.160.0.0/12",\ "p_match": "35.166.231.222",\ "warning_lists": [\ {\ "description": "Amazon AWS IP address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json)",\ "id": "amazon-aws",\ "name": "List of known Amazon AWS IP address ranges",\ "version": 20250719\ }\ ]\ }\ ] } }, "CLIENT_IP": "35.166.231.222", "EVENT_ID": "1829252345804554", "EVENT_TIMESTAMP": "2025-09-08 10:42:59.934000000", "EVENT_TYPE": "LOGIN", "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", "IS_SUCCESS": "YES", "RELATED_EVENT_ID": "0", "REPORTED_CLIENT_TYPE": "GO_DRIVER", "REPORTED_CLIENT_VERSION": "1.13.2", "USER_NAME": "SOME_USER" } sun-brightdesktopmoon --- # Migrating to a CI/CD Workflow | Panther Docs Panther does not support simultaneous use of the Console and CI/CD workflows to manage detection content. If you'd like to transition from managing detections in the Panther Console to managing them via a CI/CD workflow, and you have not yet cloned or forked the `panther-analysis` repo, follow the process below: circle-info This page explains how to perform an initial migration to the CI/CD workflow. If you already use CI/CD, and want to migrate away from using [Detection Packs](https://docs.panther.com/detections/panther-managed/packs) in the Panther Console, follow [this Knowledge Base articlearrow-up-right](https://help.panther.com/articles/9211266919-how-can-i-transition-to-using-panther-with-just-a-ci-cd-workflow-for-our-cloned-repo) instead. ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-1-download-content-created-in-the-console) Step 1: Download content created in the Console CI/CD overwrites anything included on upload, which includes rules, policies, global helpers, and data models. If you have created your own copy of Panther-managed enrichment provider helpers, global helpers or data models, you will need to download these as well. There are two options available: Bulk-download all entities at once, or download entities individually: Option 1: Bulk-download all entities Option 2: Download entities separately When you use this option, you can download all detections, global helpers, saved searches, and data models from your Panther Console. Note that this download will include everything that is enabled (including Panther standard rules) and outputs every file under one folder. You will need to move files to the proper repository structure. 1. In the left-hand navigation bar of your Panther Console, click **Detections.** 2. In the upper-right corner, click **Upload**. 3. In the **Bulk Uploader** modal, click **Download all entities**. **Download detections** 1. In the left-hand navigation bar of your Panther Console, click **Detections**. 2. Click the **Filters** icon. In the **Created by** filter, select **Created by team**. 3. Click **Apply Filters**. 4. Download each page of detections. 1. Check the bulk **Select All** box in the upper-left corner of the list. 2. At the top of the list, click **Download**. The detections will be downloaded in a zip that you can incorporate into your version control system. **Download helpers** 1. In the left-hand navigation bar of your Panther Console, click **Detections.** 2. Click the **Helpers** tab. 3. On the right side of a helper tile, click **...** then click **Download**. 4. Repeat for each separate helper. **Download data models** 1. In the left-hand navigation bar of your Panther Console, click **Detections**. 2. Click the **Data Models** tab. 3. On the right side of a data model tile, click **...** then click **Download**. 4. Repeat for each separate data model. ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-2-enable-the-developer-workflow-option) Step 2: Enable the Developer Workflow option To prevent Panther detection Packs from being enabled from the Console, self-declare as a developer workflow account: 1. In the Panther Console, navigate to **Settings > General**. 2. Click **Developer Workflow**. 3. Toggle the option to **ON** to disallow Panther Detection Packs from being enabled in the Console. ![Under the "Developer Workflows" tab, there is an option called "We use the Panther Analysis Tool to manage our detections." There is a toggle switch next to it, which is enabled.](https://docs.panther.com/~gitbook/image?url=https%3A%2F%2F4011785613-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252F-LgdiSWdyJcXPahGi9Rs-2910905616%252Fuploads%252Fgit-blob-60e9b243341ee1b32f0d5b7fcea325dec2aed7a5%252Fread-only-users.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=b27b64eb&sv=2) ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-3-mark-users-as-read-only) Step 3: Mark users as read-only To prevent users from making edits in the Panther Console that may conflict with your source control, mark them as read-only: 1. In the Panther Console, navigate to **Settings > Users**. 2. In the user list, locate your developers who are using a CI/CD workflow. 3. Click **...** on the right side of a user tile. In the dropdown menu that appears, click **Edit**. 4. Change the user's role to Read Only. 5. Click **Update**. 6. Repeat these steps for each developer who is using a CI/CD workflow. ### [hashtag](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-4-set-up-your-ci-cd-workflow) Step 4: Set up your CI/CD workflow * See either [Managing Panther Content via GitHub Actions](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) or [Managing Panther Content via CircleCI](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci) to set up your CI/CD workflow. [PreviousManaging Panther Content via GitHub Actionschevron-left](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions) [NextPanther APIchevron-right](https://docs.panther.com/panther-developer-workflows/api) Last updated 1 year ago Was this helpful? * [Step 1: Download content created in the Console](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-1-download-content-created-in-the-console) * [Step 2: Enable the Developer Workflow option](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-2-enable-the-developer-workflow-option) * [Step 3: Mark users as read-only](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-3-mark-users-as-read-only) * [Step 4: Set up your CI/CD workflow](https://docs.panther.com/panther-developer-workflows/detections-repo/ci-cd/migrating-to-a-ci-cd-workflow#step-4-set-up-your-ci-cd-workflow) Was this helpful? sun-brightdesktopmoon sun-brightdesktopmoon ---