pypanther Library Reference

The pypanther library is in closed beta starting with Panther version 1.108. Please share any bug reports and feature requests with your Panther support team.

`pypanther` convenience function reference

Convenience function How it works

Convenience function	How it works
`get_panther_rules()`	See Importing Panther-managed rules
`get_rules()`	See Importing instances of `Rule`
`apply_overrides()`	See Call `apply_overrides()`
`register()`	See Registering
`override()`	See Applying overrides on existing rules
`extend()`	See Extending list attributes on existing rules

get_panther_rules()

See Importing Panther-managed rules

get_rules()

See Importing instances of Rule

apply_overrides()

See Call apply_overrides()

register()

See Registering

override()

See Applying overrides on existing rules

extend()

See Extending list attributes on existing rules

`Rule` property reference

Required properties are bolded.

Property Data type Overwritten by Default value Description/notes

Property	Data type	Overwritten by	Default value	Description/notes
`log_types`	List[`LogType` \| String]
`id`	String			Required only for registered rules
`default_severity`	`Severity` \| String	`severity()`
`create_alert`	Boolean		`True`
`dedup_period_minutes`	Non-negative integer		`60`
`default_description`	String	`description()`	`“”`
`default_destinations`	List[String]	`destinations()`	`[]`
`default_reference`	String	`reference()`	`“”`
`default_runbook`	String	`runbook()`	`“”`
`display_name`	String		`“”`
`enabled`	Boolean		`True`
`exclude_filters`	List[Callable[[PantherEvent], bool]]		`[]`
`include_filters`	List[Callable[[PantherEvent], bool]]		`[]`
`reports`	Dictionary[String,List[String]]		`{}`
`summary_attributes`	List[String]		`[]`
`tags`	List[String]		`[]`
`tests`	List[`RuleTest`]		`[]`
`threshold`	Positive integer		`1`

log_types

List[LogType | String]

id

String

Required only for registered rules

default_severity

Severity | String

severity()

create_alert

Boolean

True

dedup_period_minutes

Non-negative integer

60

default_description

String

description()

“”

default_destinations

List[String]

destinations()

[]

default_reference

String

reference()

“”

default_runbook

String

runbook()

“”

display_name

String

“”

enabled

Boolean

True

exclude_filters

List[Callable[[PantherEvent], bool]]

[]

include_filters

List[Callable[[PantherEvent], bool]]

[]

reports

Dictionary[String,List[String]]

{}

summary_attributes

List[String]

[]

tags

List[String]

[]

tests

List[RuleTest]

[]

threshold

Positive integer

1

`RuleTest` property reference

Property Data type Default Description

Property	Data type	Default	Description
`name`	String		The name of the test case
`expected_result`	Boolean		Whether `rule()` should return `true` or `false`
`log`	Dictionary \| String		The log event that should be tested against the detection
`mocks`	list[`RuleMock`]	`[]`
`expected_severity`	`Severity` \| String	`None`	The expected severity of the resulting alert
`expected_title`	String	`None`	The expected title of the resulting alert
`expected_dedup`	String	`None`	The expected deduplication string of the resulting alert
`expected_runbook`	String	`None`	The expected runbook of the resulting alert
`expected_reference`	String	`None`	The expected reference of the resulting alert
`expected_description`	String	`None`	The expected description of the resulting alert
`expected_alert_context`	Dictionary	`None`	The expected alert context of the resulting alert

name

String

The name of the test case

expected_result

Boolean

Whether rule() should return true or false

log

Dictionary | String

The log event that should be tested against the detection

mocks

list[RuleMock]

[]

expected_severity

Severity | String

None

The expected severity of the resulting alert

expected_title

String

None

The expected title of the resulting alert

expected_dedup

String

None

The expected deduplication string of the resulting alert

expected_runbook

String

None

The expected runbook of the resulting alert

expected_reference

String

None

The expected reference of the resulting alert

expected_description

String

None

The expected description of the resulting alert

expected_alert_context

Dictionary

None

The expected alert context of the resulting alert

`RuleMock` property reference

Property Data type Default Description

Property	Data type	Default	Description
`object_name`	String		The variable, attribute, function or method you'd like to mock
`new`	Any	`None`	The new value of `object_name` when mocking a variable or attribute One of `new`, `return_value`, or `side_effect` is required
`return_value`	Any	`None`	The new value of `object_name` when mocking a function or method One of `new`, `return_value`, or `side_effect` is required
`side_effect`	Any	`None`	The name of a different function or method that should be called in place of `object_name` One of `new`, `return_value`, or `side_effect` is required

object_name

String

The variable, attribute, function or method you'd like to mock

new

Any

None

The new value of object_name when mocking a variable or attribute One of new, return_value, or side_effect is required

return_value

Any

None

The new value of object_name when mocking a function or method One of new, return_value, or side_effect is required

side_effect

Any

None

The name of a different function or method that should be called in place of object_name One of new, return_value, or side_effect is required

`Rule` auxiliary/alerting function reference

Required methods are bolded.

Function Returned data type Default value

Function	Returned data type	Default value
`rule()`	Boolean
`severity()`	`Severity` \| String	Value of `default_severity`
`title()`	String	Value of `display_name`
`dedup()`	String	Value of `title()` > `display_name` > `id`
`destinations()`	List[String]	Value of `default_destinations`
`runbook()`	String	Value of `default_runbook`
`reference()`	String	Value of `default_reference`
`description()`	String	Value of `default_description`
`alert_context()`	Dictionary

rule()

Boolean

severity()

Severity | String

Value of default_severity

title()

String

Value of display_name

dedup()

String

Value of title() > display_name > id

destinations()

List[String]

Value of default_destinations

runbook()

String

Value of default_runbook

reference()

String

Value of default_reference

description()

String

Value of default_description

alert_context()

Dictionary

Additional data types

`Severity`

pypanther provides a Severity class, which contains enums for alert severity. Using Severity is an alternative to using string literals to denote severity (e.g., "INFO" or "MEDIUM") in a detection. It is recommended to use a Severity object whenever possible.

`Severity` enum reference

INFO
LOW
MEDIUM
HIGH
CRITICAL

`Severity` function reference

Function Returned data type Description

Function	Returned data type	Description
`as_int()`	Integer	Converts a `Severity` to an integer, where: `INFO` = `0` `LOW` = `1` `MEDIUM` = `2` `HIGH` = `3` `CRITICAL` = `4`
`downgrade()`	`Severity`	Returns a `Severity` object that is one level lower than the one `downgrade()` is being called on. For example, `Severity("LOW").downgrade()` returns `Severity("INFO")` Learn more in Use `upgrade()` or `downgrade()` in `severity()`.
`upgrade()`	`Severity`	Returns a `Severity` object that is one level higher than the one `upgrade()` is being called on. For example, `Severity("LOW").upgrade()` returns `Severity("MEDIUM")`. Learn more in Use `upgrade()` or `downgrade()` in `severity()`.

as_int()

Integer

Converts a Severity to an integer, where:

INFO = 0
LOW = 1
MEDIUM = 2
HIGH = 3
CRITICAL = 4

downgrade()

Severity

Returns a Severity object that is one level lower than the one downgrade() is being called on. For example, Severity("LOW").downgrade() returns Severity("INFO") Learn more in Use upgrade() or downgrade() in severity().

upgrade()

Severity

Returns a Severity object that is one level higher than the one upgrade() is being called on. For example, Severity("LOW").upgrade() returns Severity("MEDIUM"). Learn more in Use upgrade() or downgrade() in severity().

PreviousPyPanther Detections Style Guide NextUsing the pypanther Command Line Tool

Last updated 23 days ago

pypanther convenience function reference

Rule property reference

RuleTest property reference

RuleMock property reference

Rule auxiliary/alerting function reference

Additional data types

Severity

Severity enum reference

Severity function reference

`pypanther` convenience function reference

`Rule` property reference

`RuleTest` property reference

`RuleMock` property reference

`Rule` auxiliary/alerting function reference

`Severity`

`Severity` enum reference

`Severity` function reference