REST API (Beta)
Use the Panther REST API to interact with your Panther entities
Last updated
Use the Panther REST API to interact with your Panther entities
Last updated
The REST API is in open beta starting with Panther version 1.98, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther offers a REST API to interact with certain parts of your Panther instance. Currently, you can interact with the following entities through the REST API:
Additional operations are available in the GraphQL API.
Discover the REST API schema by viewing the OpenAPI specification file. You can either:
View the raw file directly, in the expandable block below:
openapi: 3.0.3
info:
title: Panther REST API
version: '1.0'
servers:
- url: https://{api_host}
variables:
api_host:
default: your-api-host
paths:
/data-models:
get:
tags:
- data model
summary: list data models
operationId: data model#list
parameters:
- name: cursor
in: query
description: the pagination token
allowEmptyValue: true
schema:
type: string
description: the pagination token
- name: limit
in: query
description: the maximum results to return
allowEmptyValue: true
schema:
type: integer
description: the maximum results to return
default: 100
format: int64
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.ListResp'
post:
tags:
- data model
summary: create data model
operationId: data model#create
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.ModifyDataModel'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.DataModel'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.BadRequestError'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.ExistsError'
/data-models/{id}:
delete:
tags:
- data model
summary: delete data model
operationId: data model#delete
parameters:
- name: id
in: path
description: ID of the data model to delete
required: true
schema:
type: string
description: ID of the data model to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.BadRequestError'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.NotFoundError'
get:
tags:
- data model
summary: get data model
operationId: data model#get
parameters:
- name: id
in: path
description: ID of the data model to fetch
required: true
schema:
type: string
description: ID of the data model to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.DataModel'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.NotFoundError'
put:
tags:
- data model
summary: put data model
description: put creates or updates a data model
operationId: data model#put
parameters:
- name: id
in: path
description: the id of the data model
required: true
schema:
type: string
description: the id of the data model
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.ModifyDataModel'
responses:
'200':
description: 200 returned if the item already existed
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.DataModel'
'201':
description: 201 returned if the item was created
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.DataModel'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/DataModelAPI.BadRequestError'
/globals:
get:
tags:
- global
summary: list globals
operationId: global#list
parameters:
- name: cursor
in: query
description: the pagination token
allowEmptyValue: true
schema:
type: string
description: the pagination token
- name: limit
in: query
description: the maximum results to return
allowEmptyValue: true
schema:
type: integer
description: the maximum results to return
default: 100
format: int64
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.ListResp'
post:
tags:
- global
summary: create global
operationId: global#create
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.ModifyGlobal'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.Global'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.BadRequestError'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.ExistsError'
/globals/{id}:
delete:
tags:
- global
summary: delete global
operationId: global#delete
parameters:
- name: id
in: path
description: ID of the global to delete
required: true
schema:
type: string
description: ID of the global to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.BadRequestError'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.NotFoundError'
get:
tags:
- global
summary: get global
operationId: global#get
parameters:
- name: id
in: path
description: ID of the global to fetch
required: true
schema:
type: string
description: ID of the global to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.Global'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.NotFoundError'
put:
tags:
- global
summary: put global
description: put creates or updates a global
operationId: global#put
parameters:
- name: id
in: path
description: The id of the global
required: true
schema:
type: string
description: The id of the global
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.ModifyGlobal2'
responses:
'200':
description: 200 returned if the item already existed
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.PutGlobalResp'
'201':
description: 201 returned if the item was created
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.PutGlobalResp'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/GlobalAPI.BadRequestError'
/log-sources/http:
post:
tags:
- http source
summary: create http source
operationId: http source#create
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ModifyHTTPSource'
responses:
'201':
description: Created response.
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.HTTPSource'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.BadRequestError'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ExistsError'
'500':
description: 'service: Internal Server Error response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ServiceError'
/log-sources/http/{id}:
delete:
tags:
- http source
summary: delete http source
operationId: http source#delete
parameters:
- name: id
in: path
description: ID of the http source to delete
required: true
schema:
type: string
description: ID of the http source to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.BadRequestError'
'500':
description: 'service: Internal Server Error response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ServiceError'
get:
tags:
- http source
summary: get http source
operationId: http source#get
parameters:
- name: id
in: path
description: ID of the http source to fetch
required: true
schema:
type: string
description: ID of the http source to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.HTTPSource'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.BadRequestError'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.NotFoundError'
'500':
description: 'service: Internal Server Error response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ServiceError'
put:
tags:
- http source
summary: put http source
description: put updates an http source
operationId: http source#put
parameters:
- name: id
in: path
description: ID of the http source to update
required: true
schema:
type: string
description: ID of the http source to update
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ModifyHTTPSource'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.HTTPSource'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.BadRequestError'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.NotFoundError'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ExistsError'
'500':
description: 'service: Internal Server Error response.'
content:
application/json:
schema:
$ref: '#/components/schemas/HttpSourceAPI.ServiceError'
/policies:
get:
tags:
- policy
summary: list policies
operationId: policy#list
parameters:
- name: cursor
in: query
description: the pagination token
allowEmptyValue: true
schema:
type: string
description: the pagination token
- name: limit
in: query
description: the maximum results to return
allowEmptyValue: true
schema:
type: integer
description: the maximum results to return
default: 100
format: int64
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.ListResp'
post:
tags:
- policy
summary: create policy
operationId: policy#create
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.ModifyPolicy'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.Policy'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.BadRequestWithTestResultsErr'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.ExistsError'
/policies/{id}:
delete:
tags:
- policy
summary: delete policy
operationId: policy#delete
parameters:
- name: id
in: path
description: ID of the policy to delete
required: true
schema:
type: string
description: ID of the policy to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.BadRequestWithTestResultsErr'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.NotFoundError'
get:
tags:
- policy
summary: get policy
operationId: policy#get
parameters:
- name: id
in: path
description: the id of the policy to fetch
required: true
schema:
type: string
description: the id of the policy to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.Policy'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.NotFoundError'
put:
tags:
- policy
summary: put policy
description: put creates or updates a policy
operationId: policy#put
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
- name: id
in: path
description: the id of the policy
required: true
schema:
type: string
description: the id of the policy
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.ModifyPolicy'
responses:
'200':
description: 200 returned if the item already existed
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.Policy'
'201':
description: 201 returned if the item was created
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.Policy'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyAPI.BadRequestWithTestResultsErr'
/queries:
get:
tags:
- query
summary: list queries
operationId: query#list
parameters:
- name: cursor
in: query
description: the pagination token
allowEmptyValue: true
schema:
type: string
description: the pagination token
- name: limit
in: query
description: the maximum results to return
allowEmptyValue: true
schema:
type: integer
description: the maximum results to return
default: 100
format: int64
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.ListResp'
post:
tags:
- query
summary: create query
operationId: query#create
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.ModifyQuery'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.Query'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.BadRequestError'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.ExistsError'
/queries/{id}:
delete:
tags:
- query
summary: delete query
operationId: query#delete
parameters:
- name: id
in: path
description: ID of the query to delete
required: true
schema:
type: string
description: ID of the query to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.BadRequestError'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.NotFoundError'
get:
tags:
- query
summary: get query
operationId: query#get
parameters:
- name: id
in: path
description: ID of the query to fetch
required: true
schema:
type: string
description: ID of the query to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.Query'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.NotFoundError'
post:
tags:
- query
summary: update query
description: put creates or updates a query
operationId: query#update
parameters:
- name: id
in: path
required: true
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.ModifyQuery'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.Query'
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.BadRequestError'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/QueryAPI.NotFoundError'
/rules:
get:
tags:
- rule
summary: list rules
operationId: rule#list
parameters:
- name: cursor
in: query
description: the pagination token
allowEmptyValue: true
schema:
type: string
description: the pagination token
- name: limit
in: query
description: the maximum results to return
allowEmptyValue: true
schema:
type: integer
description: the maximum results to return
default: 100
format: int64
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.ListResp'
post:
tags:
- rule
summary: create rule
operationId: rule#create
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.ModifyRule'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.Rule'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.BadRequestWithTestResultsErr'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.ExistsError'
/rules/{id}:
delete:
tags:
- rule
summary: delete rule
operationId: rule#delete
parameters:
- name: id
in: path
description: ID of the rule to delete
required: true
schema:
type: string
description: ID of the rule to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.BadRequestWithTestResultsErr'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.NotFoundError'
get:
tags:
- rule
summary: get rule
operationId: rule#get
parameters:
- name: id
in: path
description: ID of the rule to fetch
required: true
schema:
type: string
description: ID of the rule to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.Rule'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.NotFoundError'
put:
tags:
- rule
summary: put rule
description: put creates or updates a rule
operationId: rule#put
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
- name: id
in: path
description: the id of the rule
required: true
schema:
type: string
description: the id of the rule
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.ModifyRule'
responses:
'200':
description: 200 returned if the item already existed
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.Rule'
'201':
description: 201 returned if the item was created
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.Rule'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/RuleAPI.BadRequestWithTestResultsErr'
/scheduled-rules:
get:
tags:
- scheduled rule
summary: list scheduled rules
operationId: scheduled rule#list
parameters:
- name: cursor
in: query
description: the pagination token
allowEmptyValue: true
schema:
type: string
description: the pagination token
- name: limit
in: query
description: the maximum results to return
allowEmptyValue: true
schema:
type: integer
description: the maximum results to return
default: 100
format: int64
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ListResp'
post:
tags:
- scheduled rule
summary: create scheduled rule
operationId: scheduled rule#create
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ModifyRule'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ScheduledRule'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.BadRequestWithTestResultsErr'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ExistsError'
/scheduled-rules/{id}:
delete:
tags:
- scheduled rule
summary: delete scheduled rule
operationId: scheduled rule#delete
parameters:
- name: id
in: path
description: ID of the rule to delete
required: true
schema:
type: string
description: ID of the rule to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.BadRequestWithTestResultsErr'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.NotFoundError'
get:
tags:
- scheduled rule
summary: get scheduled rule
operationId: scheduled rule#get
parameters:
- name: id
in: path
description: ID of the rule to fetch
required: true
schema:
type: string
description: ID of the rule to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ScheduledRule'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.NotFoundError'
put:
tags:
- scheduled rule
summary: put scheduled rule
description: put creates or updates a scheduled rule
operationId: scheduled rule#put
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
- name: id
in: path
description: the id of the scheduled rule
required: true
schema:
type: string
description: the id of the scheduled rule
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ModifyRule'
responses:
'200':
description: 200 returned if the item already existed
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ScheduledRule'
'201':
description: 201 returned if the item was created
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.ScheduledRule'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/ScheduledRuleAPI.BadRequestWithTestResultsErr'
/simple-rules:
get:
tags:
- simple rule
summary: list simple rules
operationId: simple rule#list
parameters:
- name: cursor
in: query
description: the pagination token
allowEmptyValue: true
schema:
type: string
description: the pagination token
- name: limit
in: query
description: the maximum results to return
allowEmptyValue: true
schema:
type: integer
description: the maximum results to return
default: 100
format: int64
- name: include-python
in: query
description: determines if associated python for the generated rule is returned
allowEmptyValue: true
schema:
type: boolean
description: determines if associated python for the generated rule is returned
default: false
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.ListResp'
post:
tags:
- simple rule
summary: create simple rule
operationId: simple rule#create
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.ModifyRule'
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.SimpleRule'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.BadRequestWithTestResultsErr'
'409':
description: 'exists: Conflict response.'
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.ExistsError'
/simple-rules/{id}:
delete:
tags:
- simple rule
summary: delete simple rule
operationId: simple rule#delete
parameters:
- name: id
in: path
description: ID of the simple rule to delete
required: true
schema:
type: string
description: ID of the simple rule to delete
responses:
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.BadRequestWithTestResultsErr'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.NotFoundError'
get:
tags:
- simple rule
summary: get a simple rule
operationId: simple rule#get
parameters:
- name: include-python
in: query
description: determines if associated python for the generated rule is returned
allowEmptyValue: true
schema:
type: boolean
description: determines if associated python for the generated rule is returned
default: false
- name: id
in: path
description: ID of the rule to fetch
required: true
schema:
type: string
description: ID of the rule to fetch
responses:
'200':
description: OK response.
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.SimpleRule'
'404':
description: 'not_found: Not Found response.'
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.NotFoundError'
put:
tags:
- simple rule
summary: put simple rule
description: put creates or updates a rule
operationId: simple rule#put
parameters:
- name: run-tests-first
in: query
description: set this field to false to exclude running tests prior to saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to false to exclude running tests prior to saving
default: true
- name: run-tests-only
in: query
description: set this field to true if you want to run tests without saving
allowEmptyValue: true
schema:
type: boolean
description: set this field to true if you want to run tests without saving
default: false
- name: id
in: path
description: the id of the rule
required: true
schema:
type: string
description: the id of the rule
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.ModifyRule'
responses:
'200':
description: 200 returned if the item already existed
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.SimpleRule'
'201':
description: 201 returned if the item was created
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.SimpleRule'
'204':
description: No Content response.
'400':
description: 'bad_request: Bad Request response.'
content:
application/json:
schema:
$ref: '#/components/schemas/SimpleRuleAPI.BadRequestWithTestResultsErr'
components:
schemas:
DataModelAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
DataModelAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/DataModelAPI.TestDetectionRecord'
required:
- message
DataModelAPI.CreateDataModelResp:
type: object
properties:
data:
$ref: '#/components/schemas/DataModelAPI.DataModel'
DataModelAPI.DataModel:
type: object
properties:
body:
type: string
description: The python body of the data model
createdAt:
type: string
description:
type: string
description: The description of the data model
displayName:
type: string
description: The name used for the data model
enabled:
type: boolean
description: enables/disables a data model
id:
type: string
description: The id of the data model
lastModified:
type: string
logTypes:
type: array
items:
type: string
description: 'The log type this data model should associate to. NOTE: only one data model can be assigned to a log type'
mappings:
type: array
items:
$ref: '#/components/schemas/DataModelAPI.DataModelMapping'
DataModelAPI.DataModelMapping:
type: object
properties:
method:
type: string
description: the python function name that should be called
name:
type: string
description: the name of the mapping
path:
type: string
description: the json path
required:
- name
DataModelAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
DataModelAPI.ListResp:
type: object
properties:
next:
type: string
description: pagination token for the next page of results
results:
type: array
items:
$ref: '#/components/schemas/DataModelAPI.DataModel'
DataModelAPI.ModifyDataModel:
type: object
properties:
body:
type: string
description: The python body of the data model
description:
type: string
description: The description of the data model
displayName:
type: string
description: The name used for the data model
enabled:
type: boolean
description: enables/disables a data model
id:
type: string
description: The id of the data model
logTypes:
type: array
items:
type: string
description: 'The log type this data model should associate to. NOTE: only one data model can be assigned to a log type'
mappings:
type: array
items:
$ref: '#/components/schemas/DataModelAPI.DataModelMapping'
required:
- id
DataModelAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
DataModelAPI.PutDataModelResp:
type: object
properties:
data:
$ref: '#/components/schemas/DataModelAPI.DataModel'
DataModelAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
DataModelAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/DataModelAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/DataModelAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
DataModelAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/DataModelAPI.TestDetectionSubRecord'
DataModelAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/DataModelAPI.TestErr'
output:
type: string
DataModelAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
DataModelAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/DataModelAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
DataModelAPI.UnitTestMock:
type: object
additionalProperties:
type: string
GlobalAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
GlobalAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/GlobalAPI.TestDetectionRecord'
required:
- message
GlobalAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
GlobalAPI.Global:
type: object
properties:
body:
type: string
description: The python body of the global
createdAt:
type: string
description:
type: string
description: The description of the global
id:
type: string
description: The id of the global
lastModified:
type: string
tags:
type: array
items:
type: string
description: The tags for the global
GlobalAPI.ListResp:
type: object
properties:
next:
type: string
description: pagination token for the next page of results
results:
type: array
items:
$ref: '#/components/schemas/GlobalAPI.Global'
GlobalAPI.ModifyGlobal:
type: object
properties:
body:
type: string
description: The python body of the global
description:
type: string
description: The description of the global
id:
type: string
description: The id of the global
tags:
type: array
items:
type: string
description: The tags for the global
required:
- id
- body
GlobalAPI.ModifyGlobal2:
type: object
properties:
body:
type: string
description: The python body of the global
description:
type: string
description: The description of the global
tags:
type: array
items:
type: string
description: The tags for the global
required:
- body
GlobalAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
GlobalAPI.PutGlobalResp:
type: object
properties:
data:
$ref: '#/components/schemas/GlobalAPI.Global'
GlobalAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
GlobalAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/GlobalAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/GlobalAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
GlobalAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/GlobalAPI.TestDetectionSubRecord'
GlobalAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/GlobalAPI.TestErr'
output:
type: string
GlobalAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
GlobalAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/GlobalAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
GlobalAPI.UnitTestMock:
type: object
additionalProperties:
type: string
HttpSourceAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
HttpSourceAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionRecord'
required:
- message
HttpSourceAPI.CreateHTTPSourceResp:
type: object
properties:
data:
$ref: '#/components/schemas/HttpSourceAPI.HTTPSource'
HttpSourceAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
HttpSourceAPI.HTTPConfig:
type: object
properties:
authBearerToken:
type: string
description: The authentication bearer token value of the http source. Used for Bearer auth method
authHeaderKey:
type: string
description: The authentication header key of the http source. Used for HMAC and SharedSecret auth methods
authHmacAlg:
type: string
description: The authentication algorithm of the http source. Used for HMAC auth method
authMethod:
type: string
description: The authentication method of the http source
enum:
- SharedSecret
- HMAC
- Bearer
- Basic
- None
authPassword:
type: string
description: The authentication header password of the http source. Used for Basic auth method
authSecretValue:
type: string
description: The authentication header secret value of the http source. Used for HMAC and SharedSecret auth methods
authUsername:
type: string
description: The authentication header username of the http source. Used for Basic auth method
logTypes:
type: array
items:
type: string
description: The log types of the integration
HttpSourceAPI.HTTPSource:
type: object
properties:
authBearerToken:
type: string
description: The authentication bearer token value of the http source. Used for Bearer auth method
authHeaderKey:
type: string
description: The authentication header key of the http source. Used for HMAC and SharedSecret auth methods
authHmacAlg:
type: string
description: The authentication algorithm of the http source. Used for HMAC auth method
authMethod:
type: string
description: The authentication method of the http source
enum:
- SharedSecret
- HMAC
- Bearer
- Basic
- None
authPassword:
type: string
description: The authentication header password of the http source. Used for Basic auth method
authSecretValue:
type: string
description: The authentication header secret value of the http source. Used for HMAC and SharedSecret auth methods
authUsername:
type: string
description: The authentication header username of the http source. Used for Basic auth method
integrationId:
type: string
description: The id of the http source
integrationLabel:
type: string
description: The integration label (name)
logStreamType:
type: string
description: The log stream type
enum:
- Auto
- CloudWatchLogs
- JSON
- JsonArray
- Lines
logTypes:
type: array
items:
type: string
description: The log types of the integration
HttpSourceAPI.ModifyHTTPSource:
type: object
properties:
authBearerToken:
type: string
description: The authentication bearer token value of the http source. Used for Bearer auth method
authHeaderKey:
type: string
description: The authentication header key of the http source. Used for HMAC and SharedSecret auth methods
authHmacAlg:
type: string
description: The authentication algorithm of the http source. Used for HMAC auth method
authMethod:
type: string
description: The authentication method of the http source
enum:
- SharedSecret
- HMAC
- Bearer
- Basic
- None
authPassword:
type: string
description: The authentication header password of the http source. Used for Basic auth method
authSecretValue:
type: string
description: The authentication header secret value of the http source. Used for HMAC and SharedSecret auth methods
authUsername:
type: string
description: The authentication header username of the http source. Used for Basic auth method
integrationLabel:
type: string
description: The integration label (name)
logStreamType:
type: string
description: The log stream type
enum:
- Auto
- CloudWatchLogs
- JSON
- JsonArray
- Lines
logTypes:
type: array
items:
type: string
description: The log types of the integration
required:
- integrationLabel
- logTypes
- logStreamType
- authMethod
HttpSourceAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
HttpSourceAPI.PutHTTPSourceResp:
type: object
properties:
data:
$ref: '#/components/schemas/HttpSourceAPI.HTTPSource'
HttpSourceAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
HttpSourceAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/HttpSourceAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
HttpSourceAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/HttpSourceAPI.TestDetectionSubRecord'
HttpSourceAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/HttpSourceAPI.TestErr'
output:
type: string
HttpSourceAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
HttpSourceAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/HttpSourceAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
HttpSourceAPI.UnitTestMock:
type: object
additionalProperties:
type: string
PolicyAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
PolicyAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/PolicyAPI.TestDetectionRecord'
required:
- message
PolicyAPI.CreatePolicyResp:
type: object
properties:
data:
$ref: '#/components/schemas/PolicyAPI.Policy'
PolicyAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
PolicyAPI.ListResp:
type: object
properties:
next:
type: string
description: pagination token for the next page of results
results:
type: array
items:
$ref: '#/components/schemas/PolicyAPI.Policy'
PolicyAPI.ModifyPolicy:
type: object
properties:
body:
type: string
description: The python body of the policy
description:
type: string
description: The description of the policy
displayName:
type: string
description: The display name of the policy
enabled:
type: boolean
description: Determines whether or not the policy is active
id:
type: string
description: The id of the policy
managed:
type: boolean
description: Determines if the policy is managed by panther
reports:
type: object
description: Reports
additionalProperties:
items:
type: string
type: array
resourceTypes:
type: array
items:
type: string
description: Resource types
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
suppressions:
type: array
items:
type: string
description: Resources to ignore via a pattern that matches the resource id
example:
- aws::s3::*
tags:
type: array
items:
type: string
description: The tags for the policy
tests:
type: array
items:
$ref: '#/components/schemas/PolicyAPI.UnitTest'
description: Unit tests for the Policy. Best practice is to include a positive and negative case
required:
- id
- body
- severity
PolicyAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
PolicyAPI.Policy:
type: object
properties:
body:
type: string
description: The python body of the policy
createdAt:
type: string
description:
type: string
description: The description of the policy
displayName:
type: string
description: The display name of the policy
enabled:
type: boolean
description: Determines whether or not the policy is active
id:
type: string
description: The id of the policy
lastModified:
type: string
managed:
type: boolean
description: Determines if the policy is managed by panther
reports:
type: object
description: Reports
additionalProperties:
items:
type: string
type: array
resourceTypes:
type: array
items:
type: string
description: Resource types
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
suppressions:
type: array
items:
type: string
description: Resources to ignore via a pattern that matches the resource id
example:
- aws::s3::*
tags:
type: array
items:
type: string
description: The tags for the policy
tests:
type: array
items:
$ref: '#/components/schemas/PolicyAPI.UnitTest'
description: Unit tests for the Policy. Best practice is to include a positive and negative case
PolicyAPI.PutPolicyResp:
type: object
properties:
data:
$ref: '#/components/schemas/PolicyAPI.Policy'
PolicyAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
PolicyAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/PolicyAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/PolicyAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
PolicyAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/PolicyAPI.TestDetectionSubRecord'
PolicyAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/PolicyAPI.TestErr'
output:
type: string
PolicyAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
PolicyAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/PolicyAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
PolicyAPI.UnitTestMock:
type: object
additionalProperties:
type: string
QueryAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
QueryAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/QueryAPI.TestDetectionRecord'
required:
- message
QueryAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
QueryAPI.ListResp:
type: object
properties:
next:
type: string
description: Pagination token for the next page of results
results:
type: array
items:
$ref: '#/components/schemas/QueryAPI.Query'
QueryAPI.ModifyQuery:
type: object
properties:
description:
type: string
description: The description of the query
name:
type: string
description: The name of the query
schedule:
$ref: '#/components/schemas/QueryAPI.Schedule'
sql:
type: string
description: The raw sql of the query
required:
- sql
- name
QueryAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
QueryAPI.Query:
type: object
properties:
createdAt:
type: string
description:
type: string
description: The description of the query
id:
type: string
description: The generated ID of the query
managed:
type: boolean
description: Determines if the query is managed by panther
name:
type: string
description: The name of the query
schedule:
$ref: '#/components/schemas/QueryAPI.Schedule'
sql:
type: string
description: The raw sql of the query
updatedAt:
type: string
QueryAPI.Schedule:
type: object
properties:
cron:
type: string
description: The cron expression
disabled:
type: boolean
description: Disable the schedule
rateMinutes:
type: integer
format: int64
timeoutMinutes:
type: integer
format: int64
QueryAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
QueryAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/QueryAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/QueryAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
QueryAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/QueryAPI.TestDetectionSubRecord'
QueryAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/QueryAPI.TestErr'
output:
type: string
QueryAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
QueryAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/QueryAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
QueryAPI.UnitTestMock:
type: object
additionalProperties:
type: string
RuleAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
RuleAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/RuleAPI.TestDetectionRecord'
required:
- message
RuleAPI.CreateRuleResp:
type: object
properties:
data:
$ref: '#/components/schemas/RuleAPI.Rule'
RuleAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
RuleAPI.ListResp:
type: object
properties:
next:
type: string
description: pagination token for the next page of results
results:
type: array
items:
$ref: '#/components/schemas/RuleAPI.Rule'
RuleAPI.ModifyRule:
type: object
properties:
body:
type: string
description: The python body of the rule
dedupPeriodMinutes:
type: integer
description: The amount of time in minutes for grouping alerts
default: 60
format: int64
minimum: 1
description:
type: string
description: The description of the rule
displayName:
type: string
description: The display name of the rule
enabled:
type: boolean
description: Determines whether or not the rule is active
id:
type: string
description: The id of the rule
inlineFilters:
type: string
description: The filter for the rule represented in YAML
logTypes:
type: array
items:
type: string
description: log types
managed:
type: boolean
description: Determines if the rule is managed by panther
reports:
type: object
description: reports
additionalProperties:
items:
type: string
type: array
runbook:
type: string
description: How to handle the generated alert
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
summaryAttributes:
type: array
items:
type: string
description: A list of fields in the event to create top 5 summaries for
tags:
type: array
items:
type: string
description: The tags for the rule
tests:
type: array
items:
$ref: '#/components/schemas/RuleAPI.UnitTest'
description: Unit tests for the Rule. Best practice is to include a positive and negative case
threshold:
type: integer
description: the number of events that must match before an alert is triggered
default: 1
format: int64
minimum: 1
required:
- id
- body
- severity
RuleAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
RuleAPI.PutRuleResp:
type: object
properties:
data:
$ref: '#/components/schemas/RuleAPI.Rule'
RuleAPI.Rule:
type: object
properties:
body:
type: string
description: The python body of the rule
createdAt:
type: string
dedupPeriodMinutes:
type: integer
description: The amount of time in minutes for grouping alerts
default: 60
format: int64
minimum: 1
description:
type: string
description: The description of the rule
displayName:
type: string
description: The display name of the rule
enabled:
type: boolean
description: Determines whether or not the rule is active
id:
type: string
description: The id of the rule
inlineFilters:
type: string
description: The filter for the rule represented in YAML
lastModified:
type: string
logTypes:
type: array
items:
type: string
description: log types
managed:
type: boolean
description: Determines if the rule is managed by panther
reports:
type: object
description: reports
additionalProperties:
items:
type: string
type: array
runbook:
type: string
description: How to handle the generated alert
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
summaryAttributes:
type: array
items:
type: string
description: A list of fields in the event to create top 5 summaries for
tags:
type: array
items:
type: string
description: The tags for the rule
tests:
type: array
items:
$ref: '#/components/schemas/RuleAPI.UnitTest'
description: Unit tests for the Rule. Best practice is to include a positive and negative case
threshold:
type: integer
description: the number of events that must match before an alert is triggered
default: 1
format: int64
minimum: 1
RuleAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
RuleAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/RuleAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/RuleAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
RuleAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/RuleAPI.TestDetectionSubRecord'
RuleAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/RuleAPI.TestErr'
output:
type: string
RuleAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
RuleAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/RuleAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
RuleAPI.UnitTestMock:
type: object
additionalProperties:
type: string
ScheduledRuleAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
ScheduledRuleAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionRecord'
required:
- message
ScheduledRuleAPI.CreateRuleResp:
type: object
properties:
data:
$ref: '#/components/schemas/ScheduledRuleAPI.ScheduledRule'
ScheduledRuleAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
ScheduledRuleAPI.ListResp:
type: object
properties:
next:
type: string
description: pagination token for the next page of results
results:
type: array
items:
$ref: '#/components/schemas/ScheduledRuleAPI.ScheduledRule'
ScheduledRuleAPI.ModifyRule:
type: object
properties:
body:
type: string
description: The python body of the scheduled rule
dedupPeriodMinutes:
type: integer
description: The amount of time in minutes for grouping alerts
default: 60
format: int64
minimum: 1
description:
type: string
description: The description of the scheduled rule
displayName:
type: string
description: The display name of the scheduled rule
enabled:
type: boolean
description: Determines whether or not the scheduled rule is active
id:
type: string
description: The id of the scheduled rule
managed:
type: boolean
description: Determines if the scheduled rule is managed by panther
reports:
type: object
description: reports
additionalProperties:
items:
type: string
type: array
runbook:
type: string
description: How to handle the generated alert
scheduledQueries:
type: array
items:
type: string
description: the queries that this scheduled rule utilizes
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
summaryAttributes:
type: array
items:
type: string
description: A list of fields in the event to create top 5 summaries for
tags:
type: array
items:
type: string
description: The tags for the scheduled rule
tests:
type: array
items:
$ref: '#/components/schemas/ScheduledRuleAPI.UnitTest'
description: Unit tests for the Rule. Best practice is to include a positive and negative case
threshold:
type: integer
description: the number of events that must match before an alert is triggered
default: 1
format: int64
minimum: 1
required:
- id
- body
- severity
ScheduledRuleAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
ScheduledRuleAPI.PutRuleResp:
type: object
properties:
data:
$ref: '#/components/schemas/ScheduledRuleAPI.ScheduledRule'
ScheduledRuleAPI.ScheduledRule:
type: object
properties:
body:
type: string
description: The python body of the scheduled rule
createdAt:
type: string
dedupPeriodMinutes:
type: integer
description: The amount of time in minutes for grouping alerts
default: 60
format: int64
minimum: 1
description:
type: string
description: The description of the scheduled rule
displayName:
type: string
description: The display name of the scheduled rule
enabled:
type: boolean
description: Determines whether or not the scheduled rule is active
id:
type: string
description: The id of the scheduled rule
lastModified:
type: string
managed:
type: boolean
description: Determines if the scheduled rule is managed by panther
reports:
type: object
description: reports
additionalProperties:
items:
type: string
type: array
runbook:
type: string
description: How to handle the generated alert
scheduledQueries:
type: array
items:
type: string
description: the queries that this scheduled rule utilizes
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
summaryAttributes:
type: array
items:
type: string
description: A list of fields in the event to create top 5 summaries for
tags:
type: array
items:
type: string
description: The tags for the scheduled rule
tests:
type: array
items:
$ref: '#/components/schemas/ScheduledRuleAPI.UnitTest'
description: Unit tests for the Rule. Best practice is to include a positive and negative case
threshold:
type: integer
description: the number of events that must match before an alert is triggered
default: 1
format: int64
minimum: 1
ScheduledRuleAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
ScheduledRuleAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/ScheduledRuleAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
ScheduledRuleAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/ScheduledRuleAPI.TestDetectionSubRecord'
ScheduledRuleAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/ScheduledRuleAPI.TestErr'
output:
type: string
ScheduledRuleAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
ScheduledRuleAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/ScheduledRuleAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
ScheduledRuleAPI.UnitTestMock:
type: object
additionalProperties:
type: string
SimpleRuleAPI.BadRequestError:
type: object
properties:
message:
type: string
required:
- message
SimpleRuleAPI.BadRequestWithTestResultsErr:
type: object
properties:
message:
type: string
testResults:
type: array
items:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionRecord'
required:
- message
SimpleRuleAPI.CreateRuleResp:
type: object
properties:
data:
$ref: '#/components/schemas/SimpleRuleAPI.SimpleRule'
SimpleRuleAPI.ExistsError:
type: object
properties:
message:
type: string
required:
- message
SimpleRuleAPI.ListResp:
type: object
properties:
next:
type: string
description: pagination token for the next page of results
results:
type: array
items:
$ref: '#/components/schemas/SimpleRuleAPI.SimpleRule'
SimpleRuleAPI.ModifyRule:
type: object
properties:
alertContext:
type: string
description: The alert context represented in YAML
alertTitle:
type: string
description: The alert title represented in YAML
dedupPeriodMinutes:
type: integer
description: The amount of time in minutes for grouping alerts
default: 60
format: int64
minimum: 1
description:
type: string
description: The description of the rule
detection:
type: string
description: The yaml representation of the rule
displayName:
type: string
description: The display name of the rule
dynamicSeverities:
type: string
description: The dynamic severity represented in YAML
enabled:
type: boolean
description: Determines whether or not the rule is active
groupBy:
type: string
description: The key on an event to group by represented in YAML
id:
type: string
description: The id of the rule
inlineFilters:
type: string
description: The filter for the rule represented in YAML
logTypes:
type: array
items:
type: string
description: log types
managed:
type: boolean
description: Determines if the simple rule is managed by panther
pythonBody:
type: string
description: The python body of the rule
reports:
type: object
description: reports
additionalProperties:
items:
type: string
type: array
runbook:
type: string
description: How to handle the generated alert
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
summaryAttributes:
type: array
items:
type: string
description: A list of fields in the event to create top 5 summaries for
tags:
type: array
items:
type: string
description: The tags for the simple rule
tests:
type: array
items:
$ref: '#/components/schemas/SimpleRuleAPI.UnitTest'
description: Unit tests for the Rule. Best practice is to include a positive and negative case
threshold:
type: integer
description: the number of events that must match before an alert is triggered
default: 1
format: int64
minimum: 1
required:
- id
- detection
- severity
SimpleRuleAPI.NotFoundError:
type: object
properties:
message:
type: string
required:
- message
SimpleRuleAPI.PutRuleResp:
type: object
properties:
data:
$ref: '#/components/schemas/SimpleRuleAPI.SimpleRule'
SimpleRuleAPI.ServiceError:
type: object
properties:
message:
type: string
required:
- message
SimpleRuleAPI.SimpleRule:
type: object
properties:
alertContext:
type: string
description: The alert context represented in YAML
alertTitle:
type: string
description: The alert title represented in YAML
createdAt:
type: string
dedupPeriodMinutes:
type: integer
description: The amount of time in minutes for grouping alerts
default: 60
format: int64
minimum: 1
description:
type: string
description: The description of the rule
detection:
type: string
description: The yaml representation of the rule
displayName:
type: string
description: The display name of the rule
dynamicSeverities:
type: string
description: The dynamic severity represented in YAML
enabled:
type: boolean
description: Determines whether or not the rule is active
groupBy:
type: string
description: The key on an event to group by represented in YAML
id:
type: string
description: The id of the rule
inlineFilters:
type: string
description: The filter for the rule represented in YAML
lastModified:
type: string
logTypes:
type: array
items:
type: string
description: log types
managed:
type: boolean
description: Determines if the simple rule is managed by panther
pythonBody:
type: string
description: The python body of the rule
reports:
type: object
description: reports
additionalProperties:
items:
type: string
type: array
runbook:
type: string
description: How to handle the generated alert
severity:
type: string
enum:
- INFO
- LOW
- MEDIUM
- HIGH
- CRITICAL
summaryAttributes:
type: array
items:
type: string
description: A list of fields in the event to create top 5 summaries for
tags:
type: array
items:
type: string
description: The tags for the simple rule
tests:
type: array
items:
$ref: '#/components/schemas/SimpleRuleAPI.UnitTest'
description: Unit tests for the Rule. Best practice is to include a positive and negative case
threshold:
type: integer
description: the number of events that must match before an alert is triggered
default: 1
format: int64
minimum: 1
SimpleRuleAPI.TestDetectionRecord:
type: object
properties:
error:
$ref: '#/components/schemas/SimpleRuleAPI.TestErr'
errored:
type: boolean
functions:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionRecordFunctions'
name:
type: string
passed:
type: boolean
triggerAlert:
type: boolean
SimpleRuleAPI.TestDetectionRecordFunctions:
type: object
properties:
alertContext:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
dedup:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
description:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
destinations:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
detection:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
reference:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
runbook:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
severity:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
title:
$ref: '#/components/schemas/SimpleRuleAPI.TestDetectionSubRecord'
SimpleRuleAPI.TestDetectionSubRecord:
type: object
properties:
error:
$ref: '#/components/schemas/SimpleRuleAPI.TestErr'
output:
type: string
SimpleRuleAPI.TestErr:
type: object
properties:
code:
type: string
message:
type: string
SimpleRuleAPI.UnitTest:
type: object
properties:
expectedResult:
type: boolean
description: The expected result
mocks:
type: array
items:
$ref: '#/components/schemas/SimpleRuleAPI.UnitTestMock'
description: mocks
name:
type: string
description: name
resource:
type: string
description: resource
required:
- name
- resource
- expectedResult
SimpleRuleAPI.UnitTestMock:
type: object
additionalProperties:
type: string
securitySchemes:
ApiKeyAuth:
type: apiKey
name: X-API-Key
in: header
tags:
- name: data model
description: The data model api handles all operations for data models
- name: global
description: The global api handles all operations for globals
- name: policy
description: The policy api handles all operations for policies
- name: query
description: The query api handles operations for queries
- name: rule
description: The rule api handles all operations for rules
- name: scheduled rule
description: The scheduled rule api handles all operations for scheduled rules
- name: simple rule
description: The simple rule api handles all operations for simple rules
- name: http source
description: The http source api handles all operations for http sources
security:
- ApiKeyAuth: []
Download the file by clicking the link below:
You can discover the API schema by browsing the API Playground in your Panther Console. Learn more on API Playground.
To locate your REST API URL:
In the upper-right corner of your Panther Console, click the gear icon, then API Tokens. At the top of the page, see the API URL.
If you are running a SaaS deployment of Panther, your REST URL will be the portion shown below:
If you are running a Cloud Connected or self-hosted deployment of Panther, the URL will be the portion shown below (inclusive of /v1):
Note that all REST URLs exclude /public/graphql from the end of the value.
See these instructions on how to create an API token. You can find required permissions for each REST API operation on each entity's page (nested under this one).
In addition to testing with the API Playground in the Console, you can invoke the REST API using Swagger, Postman, or this documentation:
In a web browser, navigate to the Swagger Editor.
In the code editor on the left-hand side, paste in the Panther REST OpenAPI specification file found above, in Discover the Panther REST API schema.
In the Available authorizations modal:
Under Value, enter your API token value.
Click Authorize.
You can now try invoking the API:
Choose an endpoint, and expand it by clicking the arrow pointing down.
Click Execute.
You will import the Panther Postman collection, create a new environment with URL and API variables, then try making a request.
Download the Panther_REST_API_postman_collection.json file at the bottom of this tab.
In your Postman application, click File > Import.
Choose the Panther_REST_API_postman_collection.json file.
Under Collections, there will now be a Panther Rest API collection.
Enter a name for your environment—e.g., "Panther."
In the table on the right-hand side, enter the following two variables:
restHost: For the Current value, enter your full Panther REST API URL.
You can find this value by following the instructions in Step 1: Identify your Panther REST API URL.
restApiToken: For the Current value, enter your Panther API token. In the Type column, select secret.
In the upper-right corner, click Save.
You can now try making a request:
Click Collections.
Expand the Panther Rest API collection, then select a request.
Click Send.
Navigate to one of the REST API entity pages (nested under this page), and locate the operation you'd like to perform.
In the bottom-right corner of the operation's Request tile, click ▶Test it.
In the modal that pops up, within the Variables section:
If the operation has required path variables, such as {id}, provide value(s) in the VALUE column.
Click + Variable, then create the following variable:
key: Enter api_host.
Within the Headers section, click + Headers.
In the table, create the following header:
key: Enter X-API-Key.
value: Enter the API token you generated in Step 2.
If a request body is required for your request, add content within Body.
Click Send Request.
On the right-hand side, under Server variables, in api_host, enter your Panther REST API URL without the protocol (i.e., excluding https://).
Click Authorize.
Click Close.
Click Try it out.
Click Environments, then click the plus sign (+).
In the upper-right hand corner, click the environment dropdown, and select the one you created in the previous step.
value: Enter the REST API URL you identified in Step 1, without the protocol (i.e., excluding https://).
If there are values in the Query Parameters section, if you would like them to apply to this invocation, click their checkboxes in the right-hand column.