Schemas

Overview

The Panther API supports the following schema operations:

• Creating or updating a custom schema

• Listing schemas

You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on Panther API.

See Custom Logs to learn more about custom schemas in Panther.

Required API token permissions

Before starting to make API calls, ensure your API token has the necessary permissions attached:

• View Log Sources: Required for all schema operations.

• Manage Log Sources: Required for the schema management operations that are mutations (i.e., CreateOrUpdateSchema).

• Read User Info: Required if you would like to retrieve integration fields related to an actor, such as createdBy.

Common schema operations

Creating a custom schema

mutation addSchema {
  createOrUpdateSchema(input:{
    description: "description"
    name:"Custom.NewSchema",
    isFieldDiscoveryEnabled: true,
    spec:"""
    fields:
     - name: foo
       type: string
    """
  }) {
    schema {
      createdAt
      description
      isArchived
      isManaged
      name
      referenceURL
      revision
      isFieldDiscoveryEnabled
      spec
      discoveredSpec
      updatedAt
      version
    }
  }
}

Listing schemas

This query lists all schemas, including custom and Panther-managed schemas.

query ListSchemas {
  schemas(input:{cursor:""}) {
    edges {
      node {
        createdAt
        description
        isArchived
        isManaged
        name
        referenceURL
        revision
        isFieldDiscoveryEnabled
        spec
        discoveredSpec
        updatedAt
        version
      }
    }
  }
}