Schemas

Panther GraphQL API schema operations

Overview

The Panther API supports the following schema operations:

Creating or updating a custom schema
Listing schemas

You can invoke Panther's API by using your Console's API Playground, or the GraphQL-over-HTTP API. Learn more about these methods on Panther API.

See Custom Logs to learn more about custom schemas in Panther.

Required API token permissions

Before starting to make API calls, ensure your API token has the necessary permissions attached:

View Log Sources: Required for all schema operations.
Manage Log Sources: Required for the schema management operations that are mutations (i.e., CreateOrUpdateSchema).
Read User Info: Required if you would like to retrieve integration fields related to an actor, such as createdBy.

Common schema operations

Creating a custom schema

mutation addSchema {
  createOrUpdateSchema(input:{
    description: "description"
    name:"Custom.NewSchema",
    spec:"""
    fields:
     - name: foo
       type: string
    """
  }) {
    schema {
      createdAt
      description
      isManaged
      name
      referenceURL
      revision
      spec
      updatedAt
      version
    }
  }
}

Listing schemas

This query lists all schemas, including custom and Panther-managed schemas.

Pagination is not currently supported by schemas—all schemas will be returned in the first page of results. The cursor field in the input object, below, is a placeholder for when pagination is eventually supported.

query ListSchemas {
  schemas(input:{cursor:""}) {
    edges {
      node {
        createdAt
        description
        isManaged
        name
        referenceURL
        revision
        spec
        updatedAt
        version
      }
    }
  }
}

PreviousMetrics NextToken Rotation

Last updated 2 days ago