Using the pypanther Command Line Tool
View, test, and upload V2 detections
Last updated
Was this helpful?
View, test, and upload V2 detections
Last updated
Was this helpful?
Use the pypanther
command line interface (CLI) tool to:
View, test, and upload PyPanther Detections.
v1 detections to PyPanther Detections.
View and .
To get started using pypanther
, follow the instructions in the . See the below, and note that some require .
pypanther
CLI command referencelist
Lists locally defined detections and schemas.
None
get
Gets the attributes of locally defined detections and schemas.
None
test
Runs detection tests locally.
None
upload
Uploads local detections and schemas to Panther.
The default schemas path is content/schemas
Warning: In order to use the pypanther
upload
functionality, it must first be enabled for you. If you would like to upload detections, please reach out to your Panther Support team.
Bulk Upload
convert
None
Certain pypanther
CLI commands, like upload
, require authentication with your Panther instance. This means they require a valid Panther API host URL and API token. After you locate/generate these values, you will make them visible to pypanther
.
pypanther
Once you have API host and token values, you can choose how to expose them to pypanther
when you are executing a CLI command. The following methods are in order of precedence, meaning option one overrides option two:
Pass the host and token on the command line using --api-token
and --api-host
.
Set the host and token as environment variables using PANTHER_API_TOKEN
and PANTHER_API_HOST
.
convert
When converting a v1 rule, convert
first checks whether it is custom or Panther-managed (by looking at its RuleId
). If it's a custom rule, convert
creates a straightforward translation of the rule.
If it's a Panther-managed rule, convert
attempts to make as minimal of an override as possible. This means:
The overrides are made in an apply_overrides
function inside a log type-specific file that is stored in an overrides
directory.
The subclassed rule is created in a new file inside the rules
directory.
Learn more in .
Learn more in and
Manage Log Sources (if )
Converts rules and helpers into PyPanther format. Learn more in , below.
Panther API host URL: Follow .
Panther API token: Follow , being sure to attach any permissions required by the pypanther
commands you'd like to use. See the Required API permission(s) column in the table above.
In addition to using pypanther upload
to upload PyPanther Detections to Panther, you can also upload custom data schemas (used for and ). When you run the upload
command, pypanther
looks in /content/schemas
for schemas to upload.
pypanther
supports uploading YAML schemas defined according to the instructions.
The pypanther
convert
command converts rules and helpers into PyPanther format.
The convert
command does not output a main.py
file. You must create this yourself. Learn more about what to include in .
If there have only been modifications to the Panther-managed rule's attributes (i.e., the fields stored in the YAML file in v1), and not to its , the Panther-managed rule is using override
to make the same customization(s) in PyPanther.
If there have been modifications made to any of the Panther-managed rule's , a rule is created that the Panther-managed rule. The subclassed rule defines all alert functions that were modified in v1 (in addition to any modified attributes).