pypanther Library Reference
The pypanther library is in closed beta starting with Panther version 1.108. Please share any bug reports and feature requests with your Panther support team.
pypanther convenience function reference
pypanther convenience function referenceRule property reference
Rule property referenceRequired properties are bolded.
log_types
List[LogType | String]
default_severity
Severity | String
severity()
create_alert
Boolean
True
dedup_period_minutes
Non-negative integer
60
default_description
String
description()
“”
default_destinations
List[String]
destinations()
[]
default_reference
String
reference()
“”
default_runbook
String
runbook()
“”
display_name
String
“”
enabled
Boolean
True
exclude_filters
List[Callable[[PantherEvent], bool]]
[]
include_filters
List[Callable[[PantherEvent], bool]]
[]
reports
Dictionary[String,List[String]]
{}
summary_attributes
List[String]
[]
tags
List[String]
[]
tests
List[RuleTest]
[]
threshold
Positive integer
1
RuleTest property reference
RuleTest property referencename
String
The name of the test case
expected_result
Boolean
Whether rule() should return true or false
log
Dictionary | String
The log event that should be tested against the detection
mocks
list[RuleMock]
[]
expected_severity
Severity | String
None
The expected severity of the resulting alert
expected_title
String
None
The expected title of the resulting alert
expected_dedup
String
None
The expected deduplication string of the resulting alert
expected_runbook
String
None
The expected runbook of the resulting alert
expected_reference
String
None
The expected reference of the resulting alert
expected_description
String
None
The expected description of the resulting alert
expected_alert_context
Dictionary
None
The expected alert context of the resulting alert
RuleMock property reference
RuleMock property referenceobject_name
String
The variable, attribute, function or method you'd like to mock
new
Any
None
The new value of object_name when mocking a variable or attribute
One of new, return_value, or side_effect is required
return_value
Any
None
The new value of object_name when mocking a function or method
One of new, return_value, or side_effect is required
side_effect
Any
None
The name of a different function or method that should be called in place of object_name
One of new, return_value, or side_effect is required
Rule auxiliary/alerting function reference
Rule auxiliary/alerting function referenceRequired methods are bolded.
rule()
Boolean
severity()
Severity | String
Value of default_severity
title()
String
Value of display_name
dedup()
String
Value of title() > display_name > id
destinations()
List[String]
Value of default_destinations
runbook()
String
Value of default_runbook
reference()
String
Value of default_reference
description()
String
Value of default_description
alert_context()
Dictionary
Additional data types
Severity
Severitypypanther provides a Severity class, which contains enums for alert severity. Using Severity is an alternative to using string literals to denote severity (e.g., "INFO" or "MEDIUM") in a detection. It is recommended to use a Severity object whenever possible.
Severity enum reference
Severity enum referenceINFOLOWMEDIUMHIGHCRITICAL
Severity function reference
Severity function referenceas_int()
Integer
Converts a Severity to an integer, where:
INFO=0LOW=1MEDIUM=2HIGH=3CRITICAL=4
downgrade()
Severity
Returns a Severity object that is one level lower than the one downgrade() is being called on. For example, Severity("LOW").downgrade() returns Severity("INFO")
Learn more in Use upgrade() or downgrade() in severity().
upgrade()
Severity
Returns a Severity object that is one level higher than the one upgrade() is being called on. For example, Severity("LOW").upgrade() returns Severity("MEDIUM").
Learn more in Use upgrade() or downgrade() in severity().
Last updated