Knowledge BaseRelease NotesRequest Demo

pypanther Library Reference

It's recommended to use Python (v1) detections instead of PyPanther. Future support of PyPanther is being evaluated, and feature development is paused.

The pypanther library is in closed beta starting with Panther version 1.108. Please share any bug reports and feature requests with your Panther support team.

pypanther convenience function reference

Convenience function
How it works

get_panther_rules()

See Importing Panther-managed rules

get_rules()

See Importing instances of Rule

apply_overrides()

See Call apply_overrides()

register()

See Registering PyPanther Detections

override()

See Applying overrides on existing rules

extend()

See Extending list attributes on existing rules

Rule property reference

Required properties are bolded. View the full Rule class definition here.

Property
Data type
Overwritten by
Default value
Description/notes

log_types

List[LogType | String]

id

String

Required only for registered rules

default_severity

Severity | String

severity()

create_alert

Boolean

True

dedup_period_minutes

Non-negative integer

60

default_description

String

description()

“”

default_destinations

List[String]

destinations()

[]

default_reference

String

reference()

“”

default_runbook

String

runbook()

“”

display_name

String

“”

enabled

Boolean

True

exclude_filters

List[Callable[[PantherEvent], bool]]

[]

include_filters

List[Callable[[PantherEvent], bool]]

[]

reports

Dictionary[String,List[String]]

{}

summary_attributes

List[String]

[]

tags

List[String]

[]

tests

List[RuleTest]

[]

threshold

Positive integer

1

RuleTest property reference

View the full RuleTest class definition here.

Property
Data type
Default
Description

name

String

The name of the test case

expected_result

Boolean

Whether rule() should return True or False

log

Dictionary | String

The log event that should be tested against the detection

mocks

list[RuleMock]

[]

expected_severity

Severity | String

None

The expected severity of the resulting alert. Only include on tests where expected_result=True

expected_title

String

None

The expected title of the resulting alert. Only include on tests where expected_result=True

expected_dedup

String

None

The expected deduplication string of the resulting alert. Only include on tests where expected_result=True

expected_runbook

String

None

The expected runbook of the resulting alert. Only include on tests where expected_result=True

expected_reference

String

None

The expected reference of the resulting alert. Only include on tests where expected_result=True

expected_description

String

None

The expected description of the resulting alert. Only include on tests where expected_result=True

expected_alert_context

Dictionary

None

The expected alert context of the resulting alert. Only include on tests where expected_result=True

RuleMock property reference

View the full RuleMock class definition here.

Property
Data type
Default
Description

object_name

String

The variable, attribute, function or method you'd like to mock

new

Any

None

The new value of object_name when mocking a variable or attribute One of new, return_value, or side_effect is required

return_value

Any

None

The new value of object_name when mocking a function or method One of new, return_value, or side_effect is required

side_effect

Any

None

The name of a different function or method that should be called in place of object_name. Can also be a lambda function. One of new, return_value, or side_effect is required

Rule auxiliary/alerting function reference

  • Required methods are bolded.

Function
Returned data type
Default value

rule()

Boolean

severity()

Severity | String

Value of default_severity

title()

String

Value of display_name

dedup()

String

Value of title() > display_name > id

destinations()

List[String]

Value of default_destinations

runbook()

String

Value of default_runbook

reference()

String

Value of default_reference

description()

String

Value of default_description

alert_context()

Dictionary

Additional data types

Severity

pypanther provides a Severity class, which contains enums for alert severity. Using Severity is an alternative to using string literals to denote severity (e.g., "INFO" or "MEDIUM") in a detection. It is recommended to use a Severity object whenever possible.

Severity enum reference

  • INFO

  • LOW

  • MEDIUM

  • HIGH

  • CRITICAL

Severity function reference

Function
Returned data type
Description

as_int()

Integer

Converts a Severity to an integer, where:

  • INFO = 0

  • LOW = 1

  • MEDIUM = 2

  • HIGH = 3

  • CRITICAL = 4

downgrade()

Severity

Returns a Severity object that is one level lower than the one downgrade() is being called on. For example, Severity("LOW").downgrade() returns Severity("INFO") Learn more in Use upgrade() or downgrade() in severity().

upgrade()

Severity

Returns a Severity object that is one level higher than the one upgrade() is being called on. For example, Severity("LOW").upgrade() returns Severity("MEDIUM"). Learn more in Use upgrade() or downgrade() in severity().

PreviousPyPanther Detections Style GuideNextUsing the pypanther Command Line Tool

Last updated

Was this helpful?