pypanther Library Reference
The pypanther
library is in closed beta starting with Panther version 1.108. Please share any bug reports and feature requests with your Panther support team.
pypanther
convenience function reference
pypanther
convenience function referenceget_panther_rules()
get_rules()
apply_overrides()
register()
override()
extend()
Rule
property reference
Rule
property referenceRequired properties are bolded.
log_types
List[LogType
| String]
id
String
default_severity
Severity
| String
severity()
create_alert
Boolean
True
dedup_period_minutes
Non-negative integer
60
default_description
String
description()
“”
default_destinations
List[String]
destinations()
[]
default_reference
String
reference()
“”
default_runbook
String
runbook()
“”
display_name
String
“”
enabled
Boolean
True
exclude_filters
List[Callable[[PantherEvent], bool]]
[]
include_filters
List[Callable[[PantherEvent], bool]]
[]
reports
Dictionary[String,List[String]]
{}
summary_attributes
List[String]
[]
tags
List[String]
[]
tests
List[RuleTest
]
[]
threshold
Positive integer
1
RuleTest
property reference
RuleTest
property referencename
String
The name of the test case
expected_result
Boolean
Whether rule()
should return true
or false
log
Dictionary | String
The log event that should be tested against the detection
mocks
list[RuleMock
]
[]
expected_severity
Severity
| String
None
The expected severity of the resulting alert
expected_title
String
None
The expected title of the resulting alert
expected_dedup
String
None
The expected deduplication string of the resulting alert
expected_runbook
String
None
The expected runbook of the resulting alert
expected_reference
String
None
The expected reference of the resulting alert
expected_description
String
None
The expected description of the resulting alert
expected_alert_context
Dictionary
None
The expected alert context of the resulting alert
RuleMock
property reference
RuleMock
property referenceobject_name
String
The variable, attribute, function or method you'd like to mock
new
Any
None
The new value of object_name
when mocking a variable or attribute
One of new
, return_value
, or side_effect
is required
return_value
Any
None
The new value of object_name
when mocking a function or method
One of new
, return_value
, or side_effect
is required
side_effect
Any
None
The name of a different function or method that should be called in place of object_name
One of new
, return_value
, or side_effect
is required
Rule
auxiliary/alerting function reference
Rule
auxiliary/alerting function referenceRequired methods are bolded.
rule()
Boolean
severity()
Severity
| String
Value of default_severity
title()
String
Value of display_name
dedup()
String
Value of title()
> display_name
> id
destinations()
List[String]
Value of default_destinations
runbook()
String
Value of default_runbook
reference()
String
Value of default_reference
description()
String
Value of default_description
alert_context()
Dictionary
Additional data types
Severity
Severity
pypanther
provides a Severity
class, which contains enums for alert severity. Using Severity
is an alternative to using string literals to denote severity (e.g., "INFO"
or "MEDIUM"
) in a detection. It is recommended to use a Severity
object whenever possible.
Severity
enum reference
Severity
enum referenceINFO
LOW
MEDIUM
HIGH
CRITICAL
Severity
function reference
Severity
function referenceas_int()
Integer
Converts a Severity
to an integer, where:
INFO
=0
LOW
=1
MEDIUM
=2
HIGH
=3
CRITICAL
=4
downgrade()
Severity
upgrade()
Severity
Last updated