pypanther Library Reference

get_panther_rules()

See Importing Panther-managed rules

get_rules()

See Importing instances of Rule

apply_overrides()

See Call apply_overrides()

register()

See Registering

override()

See Applying overrides on existing rules

extend()

See Extending list attributes on existing rules

log_types

List[LogType | String]

id

String

Required only for registered rules

default_severity

Severity | String

severity()

create_alert

Boolean

True

dedup_period_minutes

Non-negative integer

60

default_description

String

description()

“”

default_destinations

List[String]

destinations()

[]

default_reference

String

reference()

“”

default_runbook

String

runbook()

“”

display_name

String

“”

enabled

Boolean

True

exclude_filters

List[Callable[[PantherEvent], bool]]

[]

include_filters

List[Callable[[PantherEvent], bool]]

[]

reports

Dictionary[String,List[String]]

{}

summary_attributes

List[String]

[]

tags

List[String]

[]

tests

List[RuleTest]

[]

threshold

Positive integer

1

name

String

The name of the test case

expected_result

Boolean

Whether rule() should return True or False

log

Dictionary | String

The log event that should be tested against the detection

mocks

list[RuleMock]

[]

expected_severity

Severity | String

None

The expected severity of the resulting alert. Only include on tests where expected_result=True

expected_title

String

None

The expected title of the resulting alert. Only include on tests where expected_result=True

expected_dedup

String

None

The expected deduplication string of the resulting alert. Only include on tests where expected_result=True

expected_runbook

String

None

The expected runbook of the resulting alert. Only include on tests where expected_result=True

expected_reference

String

None

The expected reference of the resulting alert. Only include on tests where expected_result=True

expected_description

String

None

The expected description of the resulting alert. Only include on tests where expected_result=True

expected_alert_context

Dictionary

None

The expected alert context of the resulting alert. Only include on tests where expected_result=True

object_name

String

The variable, attribute, function or method you'd like to mock

new

Any

None

The new value of object_name when mocking a variable or attribute One of new, return_value, or side_effect is required

return_value

Any

None

The new value of object_name when mocking a function or method One of new, return_value, or side_effect is required

side_effect

Any

None

The name of a different function or method that should be called in place of object_name. Can also be a lambda function. One of new, return_value, or side_effect is required

as_int()

Integer

Converts a Severity to an integer, where:

• INFO = 0

• LOW = 1

• MEDIUM = 2

• HIGH = 3

• CRITICAL = 4

downgrade()

Severity

Returns a Severity object that is one level lower than the one downgrade() is being called on. For example, Severity("LOW").downgrade() returns Severity("INFO") Learn more in Use upgrade() or downgrade() in severity().

upgrade()

Severity

Returns a Severity object that is one level higher than the one upgrade() is being called on. For example, Severity("LOW").upgrade() returns Severity("MEDIUM"). Learn more in Use upgrade() or downgrade() in severity().