Panther Developer Workflows Overview

Panther Developer Workflows are non-Panther Console workflows you can use to interact with your Panther account, including continuous integration and continuous deployment (CI/CD), API, the Panther Analysis Tool (PAT), the pantherlog tool, and other operational tools.

This page describes the developer workflows and tools you can use with Panther. Panther Developer Workflows are intended for a technical audience who feels comfortable using non-Console workflows.

Using Panther-managed detections

CI/CD users can make use of Panther-managed detections written in Python in the panther-analysis repository in GitHub. This can be done by maintaining a public fork of the repo or maintaining a cloned private repository.

The detections in panther-analysis are broadly applicable, but can be customized to ensure that you are receiving only the alerts that are most important to your organization. You will need to pull updates from panther-analysis to take advantage of new detections.

For instructions, see Using panther-analysis.

CI/CD workflows

Automate your detection pipeline and improve security with a CI/CD workflow: Leverage the Panther-managed Python detections from the panther-analysis repository in GitHub, adapt the detections to fit into your CI/CD pipeline, and upload the detections to your Panther Console.

Panther offers CI/CD documentation specific to using the following platforms:

• CircleCI

• GitHub Actions

Note that you can adapt these instructions to fit other workflows.

Using the Panther Analysis Tool

PAT is an open-source utility for testing, packaging, and deploying Panther detections from source code. It's designed for developer-centric workflows such as managing your Panther detections programmatically or within CI/CD pipelines. Learn more on Panther Analysis Tool.

How your CLI workflows interact with the Panther Console

Your uploaded detections will appear alongside detections that were created manually in the Panther Console.

Creating a GitHub pull request from the Panther Console

If your team has a Panther detection content repository in GitHub, you can configure a connection in Panther that allows your team to, when creating or updating a detection in the Panther Console, create a pull request in GitHub (instead of saving the detection immediately in Panther).

This enables your team to work simultaneously in both the CLI and the Panther Console without worrying that changes made in the Console will be overwritten on the next CLI upload.

After setting up the GitHub connection, when you create or edit detections, instead of the traditional Deploy button, you'll instead see Create PR. Clicking this opens a pull request in your GitHub repository with the changes you've made in the Console.

After the pull request is merged in GitHub, you will still need to use the Panther Analysis Tool (PAT) to upload detection content, likely using a GitHub Action—see Managing Panther Content via GitHub Actions.

Limitations of GitHub pull request creation

• This workflow is currently limited to rules and scheduled rules created in Python or as Simple Detections.

Panther API

Panther offers a public GraphQL-over-HTTP API, meaning you can write GraphQL queries and invoke the API using a typical HTTP request. For more information on GraphQL, please see GraphQL's documentation. The Panther API can integrate with any existing tools that you have. Whether via scripts or CI/CD workflows, the API gives you the ability to automate workflows and complete tasks quickly by codifying processes that would normally require a manual login to the Panther Console.

The Panther API supports operations for token rotation, alerting, cloud account management, log source management, user and role management, data lake queries, and user metrics.

How your API workflows interact with the Panther Console

Panther itself uses an extended version of the API internally, so any changes you make using the Panther API will be immediately reflected in the Panther Console.

Common API use cases

Common use cases include:

• Managing your users through IaaC and automating Role creation

• Getting the latest Panther metrics to use in your own dashboards

• Resolving an alert in Panther as part of an external workflow

• Running a custom Data Explorer query whenever a certain event occurs

For full documentation, as well as end-to-end examples in Python and NodeJS, please see Panther API.

Terraform

You can manage parts of your Panther log source infrastructure using Terraform. Terraform allows you to define and provision your infrastructure through code, making it easy to manage and track changes across your project's lifecycle. Panther is a provider in the Terraform registry.

See a full example of using Terraform to manage an S3 log source on Managing AWS S3 Log Sources with Terraform.

Panther tools

Panther provides two developer tools that you can use within your workflows:

• Panther Analysis Tool (PAT): An open-source utility for testing, packaging, and deploying Panther detections from source code.

  • For instructions on using PAT, see the Panther Analysis Tool documentation.

• Pantherlog: A CLI tool that you can use to infer and parse logs, validate schema files, and run unit tests.

  • For instructions on using pantherlog, see the pantherlog Tool documentation.

Panther MCP server

The Panther Model Context Protocol (MCP) server enables natural language interactions with Panther in your MCP client of choice. Learn more on MCP Server.