Panther API
Use Panther's GraphQL API for alert, role, and user management, and data lake querying
Last updated
Was this helpful?
Use Panther's GraphQL API for alert, role, and user management, and data lake querying
Last updated
Was this helpful?
Panther offers a public GraphQL-over-HTTP API, meaning you can write GraphQL queries and invoke the API using a typical HTTP request. For more information on GraphQL, see .
For a list of supported operations, see or .
You can create and modify Panther API queries using one of the following methods:
API Playground in the Panther Console
The allows you to try out your GraphQL queries, view the results and explore the API documentation all in one page. It comes with features to format your query and copy a curl operation of your query.
GraphQL-over-HTTP API
You can (recommended), or .
Log in to your Panther Console.
In the upper right corner, click the gear icon. In the dropdown menu, click API Tokens.
Provide a Name, and choose the permissions you'd like to grant the token.
In the IP Restrictions section, in the CIDR Blocks field, enter one or more IP addresses to which you'd like to restrict usage of the token, if any.
Enter the IP address(es) in CIDR notation, e.g., 10.0.0.0/8 or 8.8.8.8/32.
If no IP addresses are specified, the token will be usable by any IP address.
Click Create API Token.
You will see a success screen that displays the value of the API token. Please note that the API token is sensitive information and it will not be displayed again; make sure you copy the API token and store it in a secure location.
After generating an API token, you can test to verify that it works as expected:
On the API token creation success screen, click the link that says Give it a go on our Playground.
Locate the REQUEST HEADERS tab at the bottom-left corner of the Playground screen. Under this tab, change the default value of the X-API-Key header from <ENTER_YOUR_KEY_HERE> to the value of your API token.
In the upper left corner, press the "play" icon to run the test.
You can discover the available queries, mutations, and fields by clicking Documentation Explorer on the right side panel of the Playground.
To invoke the API using an HTTP curl operation, you will need the following information:
The GraphQL endpoint to hit
The GraphQL API endpoint is tied to your Panther domain and the API URL format is
https://api.{YOUR_PANTHER_DOMAIN}/public/graphql.
The auth-related header
The auth-related header is called X-API-Key and its value should always be a valid API token that you generated in the Panther Console.
A GraphQL query
There are two ways to invoke a GraphQL-over-HTTP API:
Option 1: Install and use a GraphQL Client to abstract the transport-related complexities (recommended)
Option 2: Manually construct an HTTP call
While all GraphQL operations are essentially simple HTTP calls, the advantage of using a GraphQL client is that it is more user-friendly.
We recommend using:
Below you'll find some examples of how you would construct a GraphQL query to fetch the first page of alerts in your system:
There are three options to discover the GraphQL schema:
Option 1: Download the publicly available GraphQL schema file (quickest)
API tokens are used to authenticate against and authorize access to Panther’s public API. As with username and password credentials, you should store API tokens securely to protect them from bad actors. Rotating your token periodically may lessen the likelihood of it being compromised. The Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) recommend rotating API tokens every 90 days.
You can rotate your API token either in your Panther Console, or by calling Panther's API itself. Once you've rotated your token, the previous one is no longer valid.
Rotate an API token in the Panther Console
To rotate your API token in the Panther Console:
Log in to your Panther Console.
In the upper right, click the gear icon, then API Tokens.
Locate the token you'd like to rotate. In the upper right corner of its tile, click the three dots icon, then Rotate.
Use the following query to confirm your Panther version.
Click Create an API Token.
See the .
For additional ways to discover the schema, see
Once you have successfully created an API token, remember to periodically rotate it. See instructions for token rotation in , below.
To find this URL In your Panther Console, click the gear icon in the upper right corner, then API Tokens:
The GraphQL query differs from use case to use case. Please refer to our or our for more on this topic.
for your NodeJS projects
for your Python projects
for your Go projects
You can find all available operations of the API, as well as detailed end-to-end examples in the subpages of the current page. For a high level list, check out our .
Option 2: Use (most user-friendly)
Option 3: Perform an against the GraphQL endpoint (best for tools and services)
You can download the latest version of the GraphQL schema file .
Panther's API Playground is a user-friendly way of browsing and discovering what's supported in our API. Please refer to our for information on how to use this as a discoverability mechanism.
For security purposes, the introspection query is an authorized operation. This means that you'll need to add an X-API-Key header to your HTTP call with the value of an in order for the introspection to work.
On the confirmation modal that pops up, click Continue.
The modal will display your new API token. You will only see this once, so be sure to copy and store it in a secure location.
Learn more about how to use this endpoint on .
The Panther API supports an ever-growing set of capabilities that allow you to build your security workflows, as well as an to test operations.
See for a list of supported API operations and examples.
Visit the Panther Knowledge Base to that answer frequently asked questions and help you resolve common errors and issues.
