Log Source Management

Panther API log source management operations

Overview

The Panther API supports the following log source operations:

Listing your log source integrations
Fetching the details of a particular log source integration
Deleting a log source integration
(For S3 sources only) Creating a new log source integration
(For S3 sources only) Updating an existing log source integration

The ListSources, GetSource, and DeleteSource operations are supported for any log source in Panther. The create and update operations (CreateS3LogSource and UpdateS3LogSource) are currently limited to only S3 log sources.

You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on Panther API.

Required API token permissions

Before starting to make API calls, ensure your API token has the necessary permissions attached:

View Log Sources: Required for all log source management operations.
Manage Log Sources: Required for the log source management operations that are mutations (i.e., CreateS3LogSource, UpdateS3LogSource, and DeleteSource).
Read User Info: Required if you would like to retrieve integration fields related to an actor, such as createdBy.

Common log source operations

Below are some of the most common GraphQL log source operations in Panther. These examples demonstrate the documents you have to send using a GraphQL client (or curl) to make a call to Panther's GraphQL API.

Listing log sources

Pagination is not currently supported by sources—all log sources will be returned in the first page of results. The cursor field in the input object, below, is a placeholder for when pagination is eventually supported.

query ListSources {
  sources(input: { cursor: "" }) {
    edges {
      node {
        createdAtTime
        createdBy {
          ... on User {
            id
          }
          ... on APIToken {
            id
          }
        }
        integrationId
        integrationLabel
        integrationType
        isEditable
        isHealthy
        lastEventProcessedAtTime
        lastEventReceivedAtTime
        lastModified
        logTypes
      }
    }
    pageInfo {
      endCursor
      hasNextPage
      hasPreviousPage
      startCursor
    }
  }
}

Retrieving a log source

The input to source is the ID of the log source you'd like to fetch.

query GetSource {
  source(id: "bcd45662-bab7-4f99-b69f-083a0212568d") {
    createdAtTime
    createdBy {
      ... on User {
        id
      }
      ... on APIToken {
        id
      }
    }
    integrationId
    integrationLabel
    integrationType
    isEditable
    isHealthy
    lastEventProcessedAtTime
    lastEventReceivedAtTime
    lastModified
    logTypes
  }
}

Deleting a log source

The input to deleteSource is the ID of the log source you'd like to delete.

mutation DeleteSource {
  deleteSource(input: { id: "bcd45662-bab7-4f99-b69f-083a0212568d" }) {
    id
  }
}

Creating an S3 log source

It's also possible to create a S3 log source using Terraform, or manually in the Panther Console.

In the example request below, input is an object that fully represents your S3 log source. All fields shown are required.

The value of logProcessingRole is the ARN of an IAM role. When creating this role, take note of these guidelines, which describe which policies must be attached.

mutation CreateS3LogSource {
  createS3Source(
    input: {
      awsAccountId: "0123456789012"
      label: "My Log Source"
      logProcessingRole: "arn:aws:iam::0123456789012:role/PantherLogProcessingRole-somerole"
      logStreamType: JSON
      managedBucketNotifications: false
      s3Bucket: "name-of-my-bucket"
      s3PrefixLogTypes: [
        { excludedPrefixes: [], logTypes: ["AWS.ALB"], prefix: "" }
      ]
    }
  ) {
    logSource {
      createdAtTime
      integrationId
      integrationLabel
      integrationType
      isEditable
      isHealthy
      lastEventProcessedAtTime
      lastEventReceivedAtTime
      lastModified
      logTypes
    }
  }
}

Updating an S3 log source

In the example request below, input is an object that fully represents your updated S3 log source. All fields shown are required, as updateS3Source replaces all fields of the existing log source (rather than only updating specific fields).

mutation UpdateS3LogSource {
  updateS3Source(
    input: {
      id: "bcd45662-bab7-4f99-b69f-083a0212568d"
      label: "My Log Source2"
      kmsKey: ""
      logProcessingRole: "arn:aws:iam::0123456789012:role/PantherLogProcessingRole-somerole"
      logStreamType: JSON
      managedBucketNotifications: false
      s3PrefixLogTypes: [
        { excludedPrefixes: [], logTypes: ["AWS.ALB"], prefix: "" }
      ]
    }
  ) {
    logSource {
      createdAtTime
      integrationId
      integrationLabel
      integrationType
      isEditable
      isHealthy
      lastEventProcessedAtTime
      lastEventReceivedAtTime
      lastModified
      logTypes
    }
  }
}

PreviousData Lake Queries NextMetrics

Last updated 11 months ago