> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/panther-developer-workflows/overview.md). # Panther Developer Workflows Overview Panther Developer Workflows are non-Panther Console workflows you can use to interact with your Panther account, including [continuous integration and continuous deployment (CI/CD)](/panther-developer-workflows/detections-repo/ci-cd.md), [API](/panther-developer-workflows/api.md), the [Panther Analysis Tool (PAT)](/panther-developer-workflows/detections-repo/pat.md), the [pantherlog tool](/panther-developer-workflows/pantherlog.md), and other operational tools. This page describes the developer workflows and tools you can use with Panther. Panther Developer Workflows are intended for a technical audience who feels comfortable using non-Console workflows. {% hint style="info" %} Looking for information on using web application-based workflows? * To learn more about getting started in the Panther Console, check out the [Quick Start Guide](/quick-start.md). * For information on managing detections in the Panther Console, see the [Detections documentation](/detections.md). {% endhint %} ## Using Panther-managed detections CI/CD users can make use of Panther-managed detections written in Python in the [panther-analysis repository in GitHub](https://github.com/panther-labs/panther-analysis). This can be done by maintaining a public fork of the repo or maintaining a cloned private repository. The detections in panther-analysis are broadly applicable, but can be customized to ensure that you are receiving only the alerts that are most important to your organization. You will need to pull updates from panther-analysis to take advantage of new detections. For instructions, see [Using panther-analysis](/panther-developer-workflows/detections-repo.md). ## CI/CD workflows Automate your detection pipeline and improve security with a CI/CD workflow: Leverage the Panther-managed Python detections from the panther-analysis repository in GitHub, adapt the detections to fit into your CI/CD pipeline, and upload the detections to your Panther Console. Panther offers CI/CD documentation specific to using the following platforms: * [CircleCI](/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/circle-ci.md) * [GitHub Actions](/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions.md) Note that you can adapt these instructions to fit other workflows. ### Using the Panther Analysis Tool [PAT](https://github.com/panther-labs/panther_analysis_tool) is an open-source utility for testing, packaging, and deploying Panther detections from source code. It's designed for developer-centric workflows such as managing your Panther detections programmatically or within CI/CD pipelines. Learn more on [Panther Analysis Tool](/panther-developer-workflows/detections-repo/pat.md). ### How your CLI workflows interact with the Panther Console Your uploaded detections will appear alongside detections that were created manually in the Panther Console. ### Creating a GitHub pull request from the Panther Console {% hint style="warning" %} Creating a GitHub pull request from the Panther Console is in open beta starting with Panther version 1.125. Please share any bug reports and feature requests with your Panther support team. {% endhint %} If your team has a Panther detection content repository in GitHub, you can [install the Panther GitHub App](/panther-developer-workflows/detections-repo/github-app.md) on that repository so that creating or updating a detection in the Panther Console opens a pull request in GitHub instead of saving the detection immediately in Panther. This enables your team to work simultaneously in both the CLI and the Panther Console without worrying that changes made in the Console will be overwritten on the next CLI upload. Once you save your repository configuration in **Settings** > **General** > **Developer Workflow**, the Panther Console replaces the usual **Deploy** or **Save** button with **Create PR** when you create or edit supported detections. Clicking **Create PR** opens a pull request in your GitHub repository with the changes you've made in the Console—Panther creates a new feature branch from your configured branch and submits the pull request back to it. (Until the Panther GitHub App is installed and connected to that repository, **Create PR** will fail—see [Setting Up the Panther GitHub App](/panther-developer-workflows/detections-repo/github-app.md) for the full setup flow.)
The detection editor in the Panther Console with a Name field, Configure tab, and Log Types selector; the top-right toolbar shows an Enabled toggle, a Cancel button, and a Create PR button.
#### What the pull request looks like Each Console save creates its own pull request—Panther does not batch multiple edits into a single PR. Branches are named `panther-pr-{detection-id}-{timestamp}-{random}` and are branched from your configured branch. When **creating a new detection**, the **Create Pull Request** modal lets you set the YAML file path, the PR title, and the PR description. Defaults are used for any field you leave blank:
The 'Create Pull Request' modal in the Panther Console, with fields for YAML file path, PR title (optional), and PR description (optional), and Cancel and Create Pull Request buttons. A note above the title field reads 'PR will contain an additional file: detection-repo/rules/custom/test_rule.py'.
* **YAML file path**: `rules/custom/{detection-id}.yml`. For Python detections, a Python file is added at the same path with a `.py` extension. * **PR title**: `Panther Auto Detection Create PR for {detection-id}` * **PR description**: `This is an auto-generated pull request for a new detection: {detection-id}` When **editing an existing detection**, the PR is created inline on save, without a modal. The existing file paths are reused, and the title and description always use these defaults (they cannot currently be customized for edits): * **PR title**: `Panther Auto Detection Edit PR for {detection-id}` * **PR description**: `This is an auto-generated pull request for a detection edit: {detection-id}` Commits are authored by the Panther user (name and email from their Panther account) when available, and fall back to `panther-detection-bot ` otherwise. After the pull request is merged in GitHub, you will still need to use the [Panther Analysis Tool (PAT)](/panther-developer-workflows/detections-repo/pat.md) to upload detection content, likely using a GitHub Action—see [Managing Panther Content via GitHub Actions](/panther-developer-workflows/detections-repo/ci-cd/deployment-workflows/github-actions.md). #### Limitations of GitHub pull request creation * This workflow is currently limited to rules and scheduled rules created in Python or as Simple Detections. ## Panther API Panther offers a public GraphQL-over-HTTP API, meaning you can write GraphQL queries and invoke the API using a typical HTTP request. For more information on GraphQL, please see[ GraphQL's documentation](https://graphql.org/learn/).\ \ The Panther API can integrate with any existing tools that you have. Whether via scripts or CI/CD workflows, the API gives you the ability to automate workflows and complete tasks quickly by codifying processes that would normally require a manual login to the Panther Console. The Panther API supports operations for token rotation, alerting, cloud account management, log source management, user and role management, data lake queries, and user metrics. ### How your API workflows interact with the Panther Console Panther itself uses an extended version of the API internally, so any changes you make using the Panther API will be immediately reflected in the Panther Console. ### Common API use cases Common use cases include: * Managing your users through IaaC and automating Role creation * Getting the latest Panther metrics to use in your own dashboards * Resolving an alert in Panther as part of an external workflow * Running a custom Data Explorer query whenever a certain event occurs For full documentation, as well as end-to-end examples in Python and NodeJS, please see [Panther API](/panther-developer-workflows/api.md). ## Terraform You can manage parts of your Panther log source infrastructure using [Terraform](https://www.terraform.io/). Terraform allows you to define and provision your infrastructure through code, making it easy to manage and track changes across your project's lifecycle. [Panther is a provider](https://registry.terraform.io/providers/panther-labs/panther/latest) in the Terraform registry. See a full example of using Terraform to manage an S3 log source on [Managing AWS S3 Log Sources with Terraform](/panther-developer-workflows/terraform/s3.md). ## Panther tools Panther provides two developer tools that you can use within your workflows: * **Panther Analysis Tool (PAT)**: An open-source utility for testing, packaging, and deploying Panther detections from source code. * For instructions on using PAT, see the [Panther Analysis Tool documentation](/panther-developer-workflows/detections-repo/pat.md). * **Pantherlog**: A CLI tool that you can use to infer and parse logs, validate schema files, and run unit tests. * For instructions on using pantherlog, see the [pantherlog Tool documentation](/panther-developer-workflows/pantherlog.md). ## Panther MCP server The Panther [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) server enables natural language interactions with Panther in your MCP [client](https://modelcontextprotocol.io/clients) of choice. Learn more on [MCP Server](/ai/mcp/mcp-server.md). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/panther-developer-workflows/overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.