"""
Used to poll response stream.
"""
type AIInferenceStream {
"""
The alias of the stream
"""
alias: String
"""
Whether the current user can edit or delete this stream (based on ownership or ManageAIResponses permission)
"""
canEdit: Boolean!
"""
Whether the stream was cancelled by the user. When true, the inference loop stopped on its next chunk write and the stream is finished.
"""
cancelled: Boolean
"""
When the stream was cancelled (null if not cancelled)
"""
cancelledAt: DateTime
"""
Who cancelled the stream (null if not cancelled)
"""
cancelledBy: Actor
"""
When the stream was created
"""
createdAt: DateTime!
"""
Who created the stream
"""
createdBy: Actor
"""
Whether the stream is deleted (soft delete, can be undone and by default is not in listings)
"""
deleted: Boolean
"""
When the stream was deleted
"""
deletedAt: DateTime
"""
Who deleted the stream
"""
deletedBy: Actor
"""
This is set on errors with a useful message
"""
error: String
"""
If true, there is no more data
"""
finished: Boolean!
"""
The parent stream id from which this response was derived
"""
parentStreamId: ID
"""
Whether the stream is pinned (set by the user with editAIInferenceStream)
"""
pinned: Boolean
"""
Whether the stream is private and not visible to other users (set by the user with editAIInferenceStream)
"""
private: Boolean
"""
AI analysis response
Only set when querying a specific inference stream
Will be null when listing inference streams
"""
responseText: String
"""
Risk scoring evidence for this stream (if available)
Only set when risk scoring has been performed
"""
riskScoreEvidence: RiskScoreEvidence
"""
Whether the stream is saved (never expires)
"""
saved: Boolean
"""
The id of the stream where inference responses are written
"""
streamId: ID!
"""
The name of the stream (set by the user with editAIInferenceStream)
"""
streamName: String
"""
When the stream was updated
"""
updatedAt: DateTime
"""
Who updated the stream
"""
updatedBy: Actor
"""
The usage of the stream
"""
usage: AIInferenceStreamUsage
"""
The user prompt that was used to create the stream
"""
userPrompt: String
}
"""
Input to search an inference stream
"""
input AIInferenceStreamTextSearchInput {
"""
Optional alias to filter by
"""
alias: String
"""
Optional cursor to continue listing from for more results (not set if first page)
"""
cursor: String
"""
Filter to conversation streams only. When omitted or false, returns non-conversation streams.
When true, returns only conversation streams.
"""
isConversation: Boolean
"""
Optional kind of AI request to filter by
"""
kind: AISummarizeKind
"""
Optional page size (defaults to 20, max 100)
"""
pageSize: Int
"""
The search query
"""
query: String!
"""
Optional flag to filter by current user's responses only
"""
searchMine: Boolean
}
"""
The result of a text search on an inference stream
"""
type AIInferenceStreamTextSearchResult {
"""
The alias of the stream
"""
alias: String
"""
The alias type of the stream
"""
aliasType: String
"""
The conversation ID, if this result is from a conversation stream
"""
conversationId: String
"""
The created at timestamp of the stream
"""
createdAt: DateTime
"""
Who created the stream
"""
createdBy: Actor
"""
Whether this result is from a conversation stream
"""
isConversation: Boolean
"""
Whether the stream is private and not visible to other users
"""
private: Boolean
"""
The snippet of the matching text with highlights
"""
snippetWithHighlights: SnippetWithHighlights!
"""
The id of the stream where inference responses are written
"""
streamId: ID!
"""
The title of the stream
"""
title: String
"""
The user prompt that was used to create the stream
"""
userPrompt: String
}
"""
Edge for AIInferenceStreamTextSearchResultList
"""
type AIInferenceStreamTextSearchResultEdge {
"""
The text search result
"""
node: AIInferenceStreamTextSearchResult!
}
"""
The paginated list of text search results
"""
type AIInferenceStreamTextSearchResultList {
"""
The page of text search results
"""
edges: [AIInferenceStreamTextSearchResultEdge!]!
"""
Pagination information
"""
pageInfo: CursorBasedPaginationPageInfo!
"""
Total number of results found
"""
totalCount: Int
}
"""
The usage stats of an inference stream
"""
type AIInferenceStreamUsage {
"""
The input tokens written to the prompt cache on this request (cache miss / cache write).
"""
cacheCreationInputTokens: Int!
"""
The input tokens served from the prompt cache on this request (cache hit).
"""
cacheReadInputTokens: Int!
"""
The duration of the inference in seconds
"""
durationSeconds: Float!
"""
The input tokens used by the stream that were neither served from nor written to the prompt cache.
Total prompt size is inputTokens + cacheCreationInputTokens + cacheReadInputTokens.
"""
inputTokens: Int!
"""
The model used to generate the stream
"""
modelID: String!
"""
The output tokens generated by the stream
"""
outputTokens: Int!
}
"""
Input to retrieve inference streams metadata
"""
input AIInferenceStreamsMetadataInput {
"""
Optional alias to filter streams by
"""
alias: String
"""
Optional cursor to continue listing from for more results (not set if first page)
"""
cursor: String
"""
Optional page size (defaults to 100)
"""
pageSize: Int
"""
Optional parentID to filter streams by, if empty (""), filter for root streams (no parentID)
"""
parentID: String
}
"""
The metadata for a list of inference streams
"""
type AIInferenceStreamsMetadataList {
"""
The page of inference stream metadata
"""
edges: [AIInferenceStreamsMetadataListEdge!]!
"""
Pagination information
"""
pageInfo: CursorBasedPaginationPageInfo!
}
"""
Edge for AIInferenceStreamsMetadataList
"""
type AIInferenceStreamsMetadataListEdge {
"""
The inference stream metadata
"""
node: AIInferenceStream!
}
"""
Request an AI replay for a detection rule.
"""
input AIReplayDetectionInput {
"""
The detection rule to replay
"""
detectionId: ID!
"""
End time of the replay
"""
endTime: DateTime!
"""
Optional list of log types to replay (subset of detection rule log types)
"""
logTypes: [String!]
"""
Caller context
"""
metadata: AISummarizeMetadata
"""
The requested output length
"""
outputLength: OutputLength = medium
"""
Additional optional prompt to append for added context
"""
prompt: String
"""
Start time of the replay
"""
startTime: DateTime!
}
"""
Request an AI schema inference for a log source.
"""
input AISchemaInferenceInput {
"""
Caller context
"""
metadata: AISummarizeMetadata
"""
The requested output length
"""
outputLength: OutputLength = medium
"""
Whether the stream should be private and not visible to other users
"""
private: Boolean
"""
Additional optional prompt to append for added context
"""
prompt: String
"""
The session id for the schema inference
"""
sessionId: ID!
"""
The stream type for the schema inference
"""
streamType: LogStreamType
}
"""
Request an AI summary for an alert.
"""
input AISummarizeAlertInput {
"""
The alert to summarize
"""
alertId: ID!
"""
Optional s3:// URIs of uploaded attachments to include in the prompt
"""
attachments: [String!]
"""
Caller context
"""
metadata: AISummarizeMetadata
"""
The requested output length
"""
outputLength: OutputLength = medium
"""
Whether the stream should be private and not visible to other users
"""
private: Boolean
"""
Additional optional prompt to append for added context
"""
prompt: String
}
"""
Request an AI summary for a detection.
"""
input AISummarizeDetectionInput {
"""
The detection to summarize
"""
detectionId: ID!
"""
Caller context
"""
metadata: AISummarizeMetadata
"""
The requested output length
"""
outputLength: OutputLength = medium
"""
Whether the stream should be private and not visible to other users
"""
private: Boolean
"""
Additional optional prompt to append for added context
"""
prompt: String
}
"""
Kinds of AI summaries
"""
enum AISummarizeKind {
"""
Analyzing a single alert
"""
alert
"""
Analyzing an alert listing
"""
alertList
"""
Authoring a new detection with iterative testing
"""
detectionAuthor
"""
Analyzing a detection overview
"""
detectionOverview
"""
Generating a detection tests
"""
detectionTests
"""
Drill down analysis for the provided stream ids
"""
drillDown
"""
Analyzing a set of events
"""
events
"""
Authoring or reviewing an organization profile
"""
organizationProfile
"""
System overview analysis
"""
overview
"""
Generating a PantherFlow query from natural language
"""
pantherFlowQuery
"""
Analyzing a set of query results
"""
queryResults
"""
Replaying a detection rule
"""
replay
"""
Analyzing a set of schema inference results
"""
schemaInference
"""
Authoring a new AI skill with iterative refinement
"""
skillAuthor
"""
Authoring a SQL query from natural language
"""
sqlQueryAuthor
}
"""
Request an AI summary for logs.
"""
input AISummarizeLogEventsInput {
"""
Optional alias of the inference stream, used to retrieve the stream
"""
alias: String
"""
Optional s3:// URIs of uploaded attachments to include in the prompt
"""
attachments: [String!]
"""
Events to analyze as an array of JSON strings
"""
events: [String!]!
"""
Caller context
"""
metadata: AISummarizeMetadata
"""
The requested output length
"""
outputLength: OutputLength = large
"""
Whether the stream should be private and not visible to other users
"""
private: Boolean
"""
Additional optional prompt to append for added context
"""
prompt: String
}
"""
Describe the context of the caller
"""
input AISummarizeMetadata {
"""
The kind of AI request
"""
kind: AISummarizeKind
"""
The page of the caller
"""
page: String
"""
The parent stream id from which this response was derived
"""
parentStreamId: ID
}
"""
Request an AI summary for query results.
"""
input AISummarizeQueryResultsInput {
"""
Optional s3:// URIs of uploaded attachments to include in the prompt
"""
attachments: [String!]
"""
Caller context
"""
metadata: AISummarizeMetadata
"""
The requested output length
"""
outputLength: OutputLength = medium
"""
Whether the stream should be private and not visible to other users
"""
private: Boolean
"""
Additional optional prompt to append for added context
"""
prompt: String
"""
The queryId
"""
queryId: ID!
}
"""
The metadata of an API token that can act upon Panther resources.
"""
type APIToken {
"""
The set of CIDR blocks that are allowed to use this API token. If empty, all CIDR blocks are allowed.
"""
allowedCIDRBlocks: [String!]!
"""
Date and time when the API token got created
"""
createdAt: DateTime!
"""
The physical User that created this API token
"""
createdBy: User!
"""
Date and time when the API token will expire. Will be `null` if the token is non-expiring.
"""
expiresAt: DateTime
"""
The unique identifier of this token
"""
id: ID!
"""
The last time this token was used to authenticate
"""
lastUsedAt: DateTime
"""
The name given to this token during its creation
"""
name: String!
"""
The set of permissions associated with this token
"""
permissions: [Permission!]!
"""
Date and time when the API token last got rotated, if applicable
"""
rotatedAt: DateTime
"""
Date and time when the API token last got rotated, if applicable
"""
rotatedBy: Actor
"""
Date and time when the API token last got updated
"""
updatedAt: DateTime
"""
The physical User that last updated this API token
"""
updatedBy: User
"""
The API token value, only populated during create and rotate actions
"""
value: String
}
"""
Scan configuration options
"""
type AWSScanConfig {
"""
The role used to scan the AWS Account
"""
auditRole: String!
}
"""
Input for updating the AWS Scan Config
"""
input AWSScanConfigInput {
auditRole: String!
}
"""
An Actor is an entity that performs a CRUD operation in Panther
"""
union Actor = APIToken | User
"""
The metadata around an Alert
"""
type Alert {
"""
The User assigned to the Alert. If null, the alert is "unassigned"
"""
assignee: User
"""
Date and time when the Alert got created
"""
createdAt: DateTime!
"""
The metadata around the alert's delivery attempts
"""
deliveries: [AlertDelivery]!
"""
The type of this Alert, as extracted from its origin
"""
description: String!
"""
Alert events
"""
events(input: AlertEventsInput): AlertEventsOutput
"""
Date and time of this alert's first event
"""
firstEventOccurredAt: DateTime
"""
The unique identifier of this Alert
"""
id: ID!
"""
Date and time that the last event related to this Alert was received
"""
lastReceivedEventAt: DateTime!
"""
The Panther entity that generated (triggered) this alert
"""
origin: AlertOrigin!
"""
The reference for this Alert, as extracted from its origin
"""
reference: String!
"""
Risk scoring evidence for this alert
"""
riskScore: RiskScoreEvidence
"""
The runbook for this Alert, as extracted from its origin
"""
runbook: String!
"""
The severity of this Alert
"""
severity: Severity!
"""
The status of this Alert
"""
status: AlertStatus!
"""
The title of this Alert
"""
title: String!
"""
The type of this Alert
"""
type: AlertType!
"""
Date and time when the Alert got last updated
"""
updatedAt: DateTime
"""
The Actor that last updated the state of this alert
"""
updatedBy: Actor
}
"""
The metadata around a single Alert delivery attempt
"""
type AlertDelivery {
dispatchedAt: DateTime!
"""
The label of the alert at where it was delivered (channel name/ID, jira ticket, asana issue, etc)
"""
label: String!
message: String!
outputId: ID!
statusCode: Int!
success: Boolean!
"""
The url to where the alert was delivered
"""
url: String!
}
"""
The payload to the `events` query
"""
input AlertEventsInput {
"""
An opaque string used when paginating across multiple pages of results
"""
cursor: String
"""
The size of each page of results. Defaults to 25
"""
pageSize: Int = 25
}
"""
The response of the alert events query.
NOTE: It is valid for `edges` to be empty while `pageInfo.hasNextPage` is true.
This occurs when the S3 event scan hits its deadline before finding matching events
but the pagination cursor has advanced past scanned objects. The client should
continue paginating with the returned cursor to make forward progress.
"""
type AlertEventsOutput {
"""
A list of paginated alert events edges
"""
edges: [AlertEventsOutputEdge!]!
"""
Metadata around this page of results
"""
pageInfo: CursorBasedPaginationPageInfo!
}
"""
The edge shape of the AlertEventsOutput type
"""
type AlertEventsOutputEdge {
"""
An event node
"""
node: JSON!
}
"""
The type of items that a list of alerts can be filtered by
"""
enum AlertListingType {
"""
Alerts that got created as a result of a detection match from Rules, Policies & Scheduled Rules
"""
ALERT
"""
Alerts that got created as a result of a detection error. Includes errors from Rules, Policies & Scheduled Rules
"""
DETECTION_ERROR
"""
Alerts that got created as a result of a Panther system error
"""
SYSTEM_ERROR
}
"""
The entities that generated this alert
"""
union AlertOrigin = DeletedDetection | Detection | SystemError
"""
The different status that an Alert can have
"""
enum AlertStatus {
"""
The alert has been flagged as a false-positive. This is shown as Invalid in the Panther UI.
"""
CLOSED
"""
The alert is still open & pending triage
"""
OPEN
"""
The alert has been resolved along with the issue that caused it
"""
RESOLVED
"""
The alert has been successfully triaged, but it hasn't yet been closed or resolved
"""
TRIAGED
}
"""
The different type of alerts that Panther Supports
"""
enum AlertType {
"""
Alert that got created due to a Policy failure
"""
POLICY
"""
Alert that got created due to a Rule match
"""
RULE
"""
Alert that got created due to an error in the python code of the associated Rule
"""
RULE_ERROR
"""
Alert that got created due to a Scheduled Rule match
"""
SCHEDULED_RULE
"""
Alert that got created due to an error in the python code of the associated Scheduled Rule
"""
SCHEDULED_RULE_ERROR
"""
Alert that got created by Panther due to an issue with the data ingestion process
"""
SYSTEM_ERROR
}
"""
The available filters of the `alerts` query. You must either specify a particular `detectionId` or a combination of
`createdAtAfter` & `createdAtBefore` for the query to be issued successfully.
"""
input AlertsInput {
"""
A list of userIds to filter alert assignees by
"""
assigneeIds: [ID!]
"""
Returns alerts created after this date
"""
createdAtAfter: DateTime
"""
Returns alerts created before this date
"""
createdAtBefore: DateTime
"""
An opaque string used when paginating across multiple pages of results
"""
cursor: String
"""
A detection (rule, scheduled rule or policy) ID that all returned alerts should originate from
"""
detectionId: ID
"""
A maximum number of events that the returned alerts must have
"""
eventCountMax: Int
"""
A minimum number of events that the returned alerts must have
"""
eventCountMin: Int
"""
A list of log source IDs to filter alerts by
"""
logSources: [String!]
"""
A list of log type names (custom or not) to filter alerts by
"""
logTypes: [String!]
"""
A string/text to look for in the alert's title
"""
nameContains: String
"""
The size of each page of results. Defaults to `25`
"""
pageSize: Int = 25
"""
A list of AWS resource type names to filter alerts by
"""
resourceTypes: [String!]
"""
A list of severities to filter alerts by
"""
severities: [Severity!]
"""
The field to used for sorting purposes. Currently, `createdAt` is the only option
"""
sortBy: AlertsSortFieldsEnum
"""
The direction to sort alerts by, based on the value of the `sortBy` filter. Defaults to `descending`
"""
sortDir: SortDirEnum = descending
"""
A list of statuses to filter alerts by
"""
statuses: [AlertStatus!]
"""
Further filter the items returned when `type` is also set.
- Valid subtypes when `type: ALERT` is set are `POLICY`, `RULE`, and `SCHEDULED_RULE`.
- Valid subtypes when `type: DETECTION_ERROR` is set are `RULE_ERROR` and `SCHEDULED_RULE_ERROR`
- There are no subtypes for `type: SYSTEM_ERROR`
"""
subtypes: [AlertType!]
"""
The type of items that are going to be returned from your query. Defaults to detection alerts.
"""
type: AlertListingType = ALERT
}
"""
The response of the `alerts` query
"""
type AlertsOutput {
"""
A list of paginated alert edges
"""
edges: [AlertsOutputEdge!]!
"""
Metadata around this page of results
"""
pageInfo: AlertsOutputPageInfo!
}
"""
The edge shape of the `AlertsOutput` type
"""
type AlertsOutputEdge {
"""
An alert node
"""
node: Alert!
}
"""
The metadata around a page of results for the `alerts` query
"""
type AlertsOutputPageInfo {
"""
The cursor that the next page of results should start from or `null` if this is the last page
"""
endCursor: String
"""
A boolean indicating whether more results exist
"""
hasNextPage: Boolean!
"""
A boolean indicating whether this is the first page of results or not
"""
hasPreviousPage: Boolean!
"""
The cursor that this page of results started from or `null` if this is the first page
"""
startCursor: String
}
"""
The supported sorting field when listing alerts
"""
enum AlertsSortFieldsEnum {
createdAt
}
"""
Input to cancel an inference stream
"""
input CancelAIInferenceStreamInput {
"""
The id of the stream to cancel
"""
streamId: ID!
}
"""
The input to a data lake query cancellation operation
"""
input CancelDataLakeQueryInput {
"""
The ID of the query to cancel
"""
id: ID!
}
"""
The return value of a data lake or indicator search query cancellation request
"""
type CancelDataLakeQueryOutput {
"""
The ID of the query that just got cancelled
"""
id: ID!
}
"""
Represents a Cloud Account integration
"""
type CloudAccount {
"""
The AWS Account ID of the Cloud Account
"""
awsAccountId: String!
"""
Regions to be ignored by scans of this cloud account
"""
awsRegionIgnoreList: [String!]!
"""
Account scan configuration options
"""
awsScanConfig: AWSScanConfig
"""
The name of the cloudformation stack monitoring the account
"""
awsStackName: String!
"""
The time the Cloud Account integration was created
"""
createdAt: DateTime!
"""
The user who created the Cloud Account integration
"""
createdBy: Actor
"""
The ID of the Cloud Account integration
"""
id: ID!
"""
True if the Cloud Account integration can be modified
"""
isEditable: Boolean!
"""
True if realtime scanning is enabled for this Cloud Account
"""
isRealtimeScanningEnabled: Boolean!
"""
The name of the Cloud Account integration
"""
label: String!
"""
The time the Cloud Account integration was last modified
"""
lastModifiedAt: DateTime
"""
Resources that match this regex will be ignored by scans of this cloud account
"""
resourceRegexIgnoreList: [String!]!
"""
Resource types to be ignored by scans of this cloud account
"""
resourceTypeIgnoreList: [String!]!
}
"""
Input for the cloudAccounts query
"""
input CloudAccountsInput {
cursor: String
}
"""
Output for the cloudAccounts query
"""
type CloudAccountsOutput {
"""
A list of paginated cloud account edges
"""
edges: [CloudAccountsOutputEdge!]!
"""
Metadata around this page of results
"""
pageInfo: CursorBasedPaginationPageInfo!
}
"""
The edge shape of the `CloudAccount` type
"""
type CloudAccountsOutputEdge {
"""
A Cloud Account Node
"""
node: CloudAccount!
}
"""
A comment posted within a Panther alert
"""
type Comment {
"""
Body of comment
"""
body: String!
"""
Date and time when the Alert got last updated
"""
createdAt: DateTime!
"""
The Actor that last updated the state of this alert
"""
createdBy: Actor!
"""
The entity that this comment was added to
"""
entity: CommentEntity!
"""
The format of the comment's body, as it was originally submitted
"""
format: CommentFormat!
"""
Comment identifier
"""
id: ID!
}
"""
The available entities that can host a comment
"""
union CommentEntity = Alert
"""
The format that a Comment's body can be submitted as
"""
enum CommentFormat {
"""
A string that should be interpreted as HTML
"""
HTML
"""
A string that should be interpreted as plain text
"""
PLAIN_TEXT
}
"""
The payload to the createComment mutation.
"""
input CreateAlertCommentInput {
"""
The alert ID you want to post a comment to
"""
alertId: ID!
"""
The comment body
"""
body: String!
"""
The format that the comment's body is going to be in. Defaults to plain text.
"""
format: CommentFormat = PLAIN_TEXT
}
"""
The response to the mutation createComment.
"""
type CreateAlertCommentOutput {
comment: Comment!
}
"""
Input for the createCloudAccount mutation
"""
input CreateCloudAccountInput {
"""
The AWS Account ID of the Cloud Account
"""
awsAccountId: String!
"""
Regions to be ignored by scans of this cloud account
"""
awsRegionIgnoreList: [String!]
"""
Account scan configuration options
"""
awsScanConfig: AWSScanConfigInput!
"""
Label applied to the Cloud Account integration
"""
label: String!
"""
Resources that match this regex will be ignored by scans of this cloud account
"""
resourceRegexIgnoreList: [String!]
"""
Resource types to be ignored by scans of this cloud account
"""
resourceTypeIgnoreList: [String!]
}
"""
Output for the createCloudAccount mutation
"""
type CreateCloudAccountOutput {
"""
The cloud account that was created
"""
cloudAccount: CloudAccount!
}
"""
The payload to the `createOrUpdateSchema` mutation
"""
input CreateOrUpdateSchemaInput {
"""
The description of the schema
"""
description: String
"""
A boolean indicating whether the automatic schema field discovery feature is enabled
"""
isFieldDiscoveryEnabled: Boolean
"""
The name of the schema
"""
name: String!
"""
An optional field that can be used to reference documentation related to the schema
"""
referenceURL: String
"""
Revision number for the schema
"""
revision: Int
"""
The schema spec in YAML or JSON format
"""
spec: String!
}
"""
The response of the 'createOrUpdateSchema' mutation
"""
type CreateOrUpdateSchemaOutput {
schema: Schema
}
"""
The input to the createRole mutation
"""
input CreateRoleInput {
"""
The log types that the role can or cannot access, according to the `logTypeAccessKind` field. This field should be omitted if `logTypeAccessKind` has a value of `ALLOW_ALL` or `DENY_ALL`
"""
logTypeAccess: [String!]
"""
Defines the role's access to log types. This field is required and has effect only if the datalake RBAC feature is enabled.
"""
logTypeAccessKind: LogTypeAccessKind
"""
The name of the role
"""
name: String!
"""
An array of the role's permissions
"""
permissions: [Permission!]!
}
"""
The output to the createRole mutation
"""
type CreateRoleOutput {
"""
The created role
"""
role: Role!
}
"""
Input for the createS3LogSource mutation
"""
input CreateS3SourceInput {
awsAccountId: String!
kmsKey: String
label: String!
logProcessingRole: String!
logStreamType: LogStreamType!
logStreamTypeOptions: LogStreamTypeOptionsInput
managedBucketNotifications: Boolean!
s3Bucket: String!
s3PrefixLogTypes: [S3PrefixLogTypesInput!]!
}
"""
Output for the createS3LogSource mutation
"""
type CreateS3SourceOutput {
logSource: S3LogIntegration!
}
"""
The metadata around a page of results
"""
type CursorBasedPaginationPageInfo {
"""
The cursor that the next page of results should start from or `null` if this is the last page
"""
endCursor: String
"""
A boolean indicating whether more results exist
"""
hasNextPage: Boolean!
"""
A boolean indicating whether this is the first page of results or not
"""
hasPreviousPage: Boolean!
"""
The cursor that this page of results started from or `null` if this is the first page
"""
startCursor: String
}
"""
A Panther data lake database
"""
type DataLakeDatabase {
"""
A description for this database
"""
description: String
"""
The name of this database
"""
name: String!
"""
The tables that this database has
"""
tables: [DataLakeDatabaseTable!]!
}
"""
A table within a Panther data lake database
"""
type DataLakeDatabaseTable {
"""
The columns that this table has
"""
columns: [DataLakeDatabaseTableColumn!]!
"""
Optional description for this table
"""
description: String
"""
Optional display name for table
"""
displayName: String
"""
Optional logType
"""
logType: String
"""
The name of the table
"""
name: String!
"""
Optional count of hits in this table (used in query results)
"""
numMatches: Int
}
"""
The column of a Panther data lake table
"""
type DataLakeDatabaseTableColumn {
"""
A description for this column
"""
description: String
"""
The name of the column
"""
name: String!
"""
The column's type. Exact values depend on your choice of data lake.
"""
type: String
}
"""
The input used to describe a data lake table
"""
input DataLakeDatabaseTableInput {
"""
The name of the database that the table belongs in
"""
databaseName: String!
"""
The name of the table
"""
tableName: String!
}
"""
The shape of the edges in an edge collection
"""
type DataLakeDatabaseTablesEdges {
"""
a node containing the table information
"""
node: DataLakeDatabaseTable!
}
"""
The input used to describe a collection of data lake tables
"""
input DataLakeDatabaseTablesInput {
"""
The cursor to start from for paginated queries
"""
cursor: String
"""
The name of the database that the tables belong in
"""
databaseName: String!
"""
The number of results that each page will contain.
"""
pageSize: Int = 25
}
"""
The results of a DataLakeDatabaseTables query
"""
type DataLakeDatabaseTablesOutput {
"""
A list of paginated edges
"""
edges: [DataLakeDatabaseTablesEdges!]!
"""
Metadata around this page of results
"""
pageInfo: DataLakeDatabaseTablesOutputPageInfo!
}
"""
The metadata about the page in a Table collection
"""
type DataLakeDatabaseTablesOutputPageInfo {
"""
The cursor that the next page of results should start from or `null` if this is the last page
"""
endCursor: String
"""
A boolean indicating whether more results exist
"""
hasNextPage: Boolean!
"""
A boolean indicating whether this is the first page of results or not
"""
hasPreviousPage: Boolean!
"""
The cursor that this page of results started from or `null` if this is the first page
"""
startCursor: String
}
"""
The optional input filters to the `dataLakeQueries` query
"""
input DataLakeQueriesInput {
"""
Filter queries by their name and/or SQL statement
"""
contains: String
"""
An opaque string used when paginating across multiple pages of results
"""
cursor: String
"""
Only return queries that are either scheduled or not (i.e. issued by a user). Leave blank to return both.
"""
isScheduled: Boolean
"""
Only return queries issued by those user IDs
"""
issuedBy: [ID!]
"""
The number of results that each page will contain. Defaults to 25 with a maximum value of 999.
"""
pageSize: Int = 25
"""
Field used for sorting purposes. Currently, `startedAt` is the only option
"""
sortBy: DataLakeQueriesSortFields = startedAt
"""
The direction to sort results by
"""
sortDir: SortDirEnum = descending
"""
Only return queries that started after this fdate
"""
startedAtAfter: DateTime
"""
Only return queries that started after this fdate
"""
startedAtBefore: DateTime
"""
A list of query statuses to filter queries by
"""
status: [DataLakeQueryStatus!]
}
"""
The return value of a `dataLakeQueries` query
"""
type DataLakeQueriesOutput {
"""
A list of paginated query edges
"""
edges: [DataLakeQueryEdge!]!
"""
Metadata around this page of results
"""
pageInfo: DataLakeQueriesOutputPageInfo!
}
"""
The metadata around a page of results for the `dataLakeQueries` query
"""
type DataLakeQueriesOutputPageInfo {
"""
The cursor that the next page of results should start from or `null` if this is the last page
"""
endCursor: String
"""
A boolean indicating whether more results exist
"""
hasNextPage: Boolean!
"""
A boolean indicating whether this is the first page of results or not
"""
hasPreviousPage: Boolean!
"""
The cursor that this page of results started from or `null` if this is the first page
"""
startCursor: String
}
"""
The available sort values for sorting a paginated list of data lake queries
"""
enum DataLakeQueriesSortFields {
startedAt
}
"""
The metadata around a data lake or indicator search query
"""
type DataLakeQuery {
"""
The children queries (subqueries) for queries (e.g., used by the Query Builder). This field is empty for simple queries
"""
children: [DataLakeQuery!]!
"""
The datetime at which the query completed or errored. This value is empty if the query is still running
"""
completedAt: DateTime
"""
The ID of this query
"""
id: ID!
"""
A boolean denoting whether this was a scheduled query or not
"""
isScheduled: Boolean!
"""
The entity that issued this query
"""
issuedBy: Actor
"""
A message that describes the current status of this query
"""
message: String!
"""
The name of this query or empty if it's an ad-hoc query
"""
name: String
"""
The results this query yielded. This field is `null` if the query hasn't successfully completed
"""
results(input: DataLakeQueryResultsInput): DataLakeQueryResults
"""
The SQL statement that was ran
"""
sql: String!
"""
The datetime at which the query started executing
"""
startedAt: DateTime!
"""
The current status of this query
"""
status: DataLakeQueryStatus!
}
"""
The edge shape of the `DataLakeQueryEdge` type
"""
type DataLakeQueryEdge {
"""
A data lake query node
"""
node: DataLakeQuery!
}
"""
The edge shape of the `DataLakeQueryResultRecords` type
"""
type DataLakeQueryResultEdge {
"""
A data lake record object
"""
id: String
node: JSON!
}
"""
Pagination metadata for the records returned by a data lake or indicator search query
"""
type DataLakeQueryResultRecordsPageInfo {
"""
The cursor that the next page of results should start from or `null` if this is the last page
"""
endCursor: String
"""
A boolean indicating whether more results exist
"""
hasNextPage: Boolean!
"""
A boolean indicating whether this is the first page of results or not
"""
hasPreviousPage: Boolean!
"""
The cursor that this page of results started from or `null` if this is the first page
"""
startCursor: String
}
"""
The shape of a data lake query results
"""
type DataLakeQueryResults {
"""
Metadata around the data lake columns returned in this page of results
"""
columnInfo: DataLakeQueryResultsColumnInfo!
"""
A list of paginated data lake result edges
"""
edges: [DataLakeQueryResultEdge!]!
"""
Metadata around this page of results
"""
pageInfo: DataLakeQueryResultRecordsPageInfo!
"""
Stats around the data lake or indicator search query results
"""
stats: DataLakeQueryStats!
"""
If true, caller should try again
"""
tryAgain: Boolean!
"""
Warning message about the results (e.g. truncation due to size limits)
"""
warningMessage: String
}
"""
Metadata related to the underlying database columns returned as part of a data lake or indicator search query
"""
type DataLakeQueryResultsColumnInfo {
"""
The ordered name of the columns as returned by the underlying database
"""
order: [String!]!
"""
A mapping of column name to column type. The type of each column is directly related to the underlying database
and varies from one backend to another (e.g. Snowflake, etc.)
"""
types: JSON!
}
"""
The input to the `results` field of the `DataLakeQuery` type
"""
input DataLakeQueryResultsInput {
"""
The pagination cursor used to fetch more pages. `null` if you're fetching the first page of results
"""
cursor: String
"""
The number of results that each page will contain. Defaults to the maximum value of 999.
"""
pageSize: Int = 999
}
"""
Data lake query execution stats
"""
type DataLakeQueryStats {
"""
The amount of data scanned (expressed in bytes) during this data lake or indicator query execution
"""
bytesScanned: Float!
"""
The amount of time (expressed in milliseconds) that the data lake or indicator search query ran for
"""
executionTime: Float!
"""
The the total number of rows returned by the query
"""
rowCount: Float!
}
"""
The available statuses for a data lake or indicator search query
"""
enum DataLakeQueryStatus {
"""
The status when the query was cancelled by the user
"""
cancelled
"""
The status when the query has errored out
"""
failed
"""
The status when the query is running
"""
running
"""
The status when the query has successfully completed
"""
succeeded
}
"""
A date in UTC with a format of YYYY-MM-DDThh:mm:ss.000Z.
"""
scalar DateTime
"""
Input for the deleteCloudAccount mutation
"""
input DeleteCloudAccountInput {
id: ID!
}
"""
Output for the deleteCloudAccounts mutation
"""
type DeleteCloudAccountOutput {
id: ID!
}
"""
The payload to the `deleteDetections` mutation
"""
input DeleteDetectionsInput {
"""
Preview what would be deleted, without deleting any detections
"""
dryRun: Boolean
"""
IDs of detections to be deleted
"""
ids: [ID!]!
"""
When true, deletes any saved queries associated with the detection
"""
includeSavedQueries: Boolean
}
"""
The response of the `deleteDetections` mutation
"""
type DeleteDetectionsOutput {
"""
IDs of detections that were deleted
If dryRun was set to True in the response, this will include IDs that would have been deleted.
"""
ids: [ID!]!
"""
Names of saved queries that were deleted
If dryRun was set to True in the request, this will include the names of Saved Queries that would have been deleted.
"""
savedQueryNames: [String!]
}
"""
The input to the deleteRole mutation
"""
input DeleteRoleInput {
"""
The ID of the role
"""
id: ID!
}
"""
The output to the deleteRole mutation
"""
type DeleteRoleOutput {
"""
The ID of the deleted role
"""
id: ID!
}
"""
The input to the 'deleteSavedQueriesByName' mutation
"""
input DeleteSavedQueriesByNameInput {
"""
Preview what would be deleted, without deleting any saved queries
"""
dryRun: Boolean
"""
When true, deletes any detections associated with the saved queries
"""
includeDetections: Boolean
"""
Saved Query names to be deleted
"""
names: [String!]!
}
"""
The output of the 'deleteSavedQueriesByName' mutation
"""
type DeleteSavedQueriesByNameOutput {
"""
The IDs of any Detections that were deleted
If dryRun was set to True in the response, this will include the IDs of Detections that would have been deleted.
"""
detectionIDs: [ID!]
"""
The names of the Saved Queries that were deleted
If dryRun was set to True in the response, this will include names of queries that would have been deleted.
"""
names: [String!]!
}
"""
Input for the deleteSource mutation
"""
input DeleteSourceInput {
id: ID!
}
"""
Output for the deleteSource mutation
"""
type DeleteSourceOutput {
id: ID!
}
"""
The input for the deleteUser mutation
"""
input DeleteUserInput {
"""
The ID of the user to delete
"""
id: ID!
}
"""
The return value of the Delete User mutation
"""
type DeleteUserOutput {
"""
The deleted Panther User object
"""
id: ID!
}
"""
Represents a Detection that has been deleted but still has alerts associated with it
"""
type DeletedDetection {
"""
The unique identifier of the Detection that generated this alert
"""
id: ID!
}
"""
A Panther detection that generates alerts
"""
type Detection {
"""
The date and time that this detection was created
"""
createdAt: DateTime!
"""
The actor that created this detection
"""
createdBy: Actor
"""
An extended description for this detection
"""
description: String
"""
The ID of this detection, which is typically human-readable
"""
id: ID!
"""
The publicly visible display name for this detection
"""
name: String!
"""
The type of this detection. Can be a Rule, a Scheduled Rule or a Policy
"""
type: DetectionType!
"""
The date and time that this detection was last updated
"""
updatedAt: DateTime
"""
The actor that was last to modify this detection
"""
updatedBy: Actor
}
"""
The response of the `uploadDetectionEntitiesStatus` query
"""
type DetectionEntitiesUploadStatusOutput {
"""
The time the detection entities upload was created
"""
createdAt: DateTime!
"""
If the detection entities upload failed, the error that occurred
"""
error: String
"""
The mode of the detection entities upload
"""
mode: UploadDetectionEntitiesMode!
"""
If the detection entities upload succeeded, the result of the upload
"""
result: UploadDetectionEntitiesOutput
"""
The current status of the detection entities upload
"""
status: UploadStatus!
"""
The time the detection entities upload was last updated
"""
updatedAt: DateTime!
}
"""
The types of detections that Panther supports
"""
enum DetectionType {
CORRELATION_RULE
DERIVED_RULE
POLICY
RULE
SCHEDULED_RULE
}
"""
Input to edit an inference stream
"""
input EditAIInferenceStreamInput {
"""
If set, the stream will be deleted (soft delete, can be undone and by default is not is not in listings)
"""
deleted: Boolean
"""
If set, the stream will be pinned
"""
pinned: Boolean
"""
If set, the stream will be private and not visible to other users
"""
private: Boolean
"""
If set, the stream will be saved (never expires)
"""
saved: Boolean
"""
The id of the stream to edit
"""
streamId: ID!
"""
If set, the name of the stream will be updated
"""
streamName: String
}
"""
The internationalized email address.Note: Up to 64
characters are allowed before and 255 characters are allowed after the
@ sign.
However, the generally accepted maximum length for an email address is 254 characters.
The pattern verifies that an unquoted @ sign exists.
minLength: 3
maxLength: 254
pattern: ^.+@[^\"\\-].+$.
"""
scalar Email
"""
Error type that can be returned by the API
"""
type Error {
"""
The error code that can be used to identify the error
"""
code: ErrorCode
"""
A human-readable message that describes the error
"""
message: String!
}
"""
The available error codes that can be returned by the API
"""
enum ErrorCode {
AlreadyExists
InvalidInput
NotFound
ServerError
}
"""
The input to a data lake query execution
"""
input ExecuteDataLakeQueryInput {
"""
The name of the database that the query should be executed against. This is optional you prefix all tables with
their corresponding database names in your SQL queries. Defaults to `panther_logs`
"""
databaseName: String = "panther_logs"
"""
The SQL code of the data lake query
"""
sql: String!
}
"""
The return value of a data lake query execution request
"""
type ExecuteDataLakeQueryOutput {
"""
The ID of the data lake sql query that started executing
"""
id: ID!
}
"""
The input to the indicator search query
"""
input ExecuteIndicatorSearchQueryInput {
"""
The databases to search (if empty all databases will be searched)
"""
databases: [String!]
"""
The end of the indicator search period
"""
endTime: DateTime!
"""
The type of the indicator to search for
"""
indicatorName: IndicatorType = AutoDetectType
"""
An array of indicators to search for
"""
indicators: [String!]!
"""
The start of the indicator search period
"""
startTime: DateTime!
"""
The tables to search (if empty all tables will be searched)
"""
tables: [String!]
}
"""
The return value of a data lake indicator search query execution request
"""
type ExecuteIndicatorSearchQueryOutput {
"""
The ID of the indicator search query that started executing
"""
id: ID!
}
"""
General Panther configuration settings
"""
type GeneralSettingsConfig {
"""
The currently deployed version of Panther
"""
pantherVersion: String
}
"""
The response of the 'getSchema' query
"""
type GetSchemaOutput {
"""
Error related to the schema
"""
error: Error
"""
Schema metadata
"""
schema: Schema
}
"""
The available indicator types used in an Indicator Search Query
"""
enum IndicatorType {
AutoDetectType
SimpleSearch
TextSearch
p_any_actor_ids
p_any_aws_account_ids
p_any_aws_arns
p_any_aws_instance_ids
p_any_aws_tags
p_any_cves
p_any_domain_names
p_any_emails
p_any_ip_addresses
p_any_mac_addresses
p_any_md5_hashes
p_any_mitre_attack_techniques
p_any_serial_numbers
p_any_sha1_hashes
p_any_sha256_hashes
p_any_trace_ids
p_any_usernames
}
"""
The input to invite a new User
"""
input InviteUserInput {
"""
The email address of the User
"""
email: Email!
"""
The family/last name of the User
"""
familyName: String!
"""
The given/first name of the User
"""
givenName: String!
"""
The ID or Name of the User's role
"""
role: UserRoleInput!
}
"""
The return value of the Invite User mutation
"""
type InviteUserOutput {
"""
The created Panther User object
"""
user: User!
}
"""
A JSON map of key/value pairs
"""
scalar JSON
"""
Represents a Log Source Integration
"""
interface LogIntegration {
"""
The time the S3 Log Source was created
"""
createdAtTime: DateTime!
"""
The actor who created the S3 Log Source
"""
createdBy: Actor
"""
The ID of the Log Source integration
"""
integrationId: ID!
"""
The name of the Log Source integration
"""
integrationLabel: String!
"""
The type of Log Source integration
"""
integrationType: String!
"""
True if the Log Source can be modified
"""
isEditable: Boolean!
"""
True if the Log Source is healthy
"""
isHealthy: Boolean!
"""
The timestamp of the last event processed
"""
lastEventProcessedAtTime: DateTime
"""
The timestamp of the last event received
"""
lastEventReceivedAtTime: DateTime
"""
The time the log source was last modified
"""
lastModified: DateTime
"""
The log types being ingested
"""
logTypes: [String!]!
}
"""
SeriesWithBreakdown, broken down by log source
"""
type LogSourceBreakdown {
"""
The name of the Log Source for which the series breakdown is given
"""
logSourceName: String!
"""
The metric time series data
"""
metricData: SeriesWithBreakdown!
}
"""
Enum representation of Log Stream types
"""
enum LogStreamType {
Auto
CloudWatchLogs
JSON
JsonArray
Lines
XML
}
"""
Options for the log stream type
"""
type LogStreamTypeOptions {
"""
Path to the array value to extract elements from, only applicable if logStreamType is JsonArray.
Leave empty if the input JSON is an array itself
"""
jsonArrayEnvelopeField: String
"""
When enabled, envelope metadata from CloudWatch Logs is preserved
in a p_header column on each unpacked event.
"""
retainEnvelopeFields: Boolean
"""
The root element name for XML streams, only applicable if logStreamType is XML.
Leave empty if the XML events are not enclosed in a root element
"""
xmlRootElement: String
}
"""
Input for the LogStreamTypeOptions
"""
input LogStreamTypeOptionsInput {
"""
Path to the array value to extract elements from, only applicable if logStreamType is JsonArray.
Leave empty if the input JSON is an array itself
"""
jsonArrayEnvelopeField: String
"""
When enabled, envelope metadata from CloudWatch Logs is preserved
in a p_header column on each unpacked event.
"""
retainEnvelopeFields: Boolean
"""
The root element name for XML streams, only applicable if logStreamType is XML.
Leave empty if the XML events are not enclosed in a root element
"""
xmlRootElement: String
}
"""
The supported types for log types access management
"""
enum LogTypeAccessKind {
"""
Allow access to selected log types
"""
ALLOW
"""
Allow access to all log types
"""
ALLOW_ALL
"""
Deny access to the selected log types
"""
DENY
"""
Deny access to all log types
"""
DENY_ALL
}
"""
An integer that can accept values that are bigger than 2^32
"""
scalar Long
"""
The input to the `metrics` query
"""
input MetricsInput {
"""
The start date for the metrics evaluation
"""
fromDate: DateTime!
"""
The interval between metric checks. Used for plotting charts.
Leave empty for automatic interval
"""
intervalInMinutes: Int
"""
The end date for the metrics evaluation
"""
toDate: DateTime!
}
"""
The output to the `metrics` query
"""
type MetricsOutput {
"""
The number of alerts corresponding to each rule
"""
alertsPerRule: [SeriesWithEntityID!]
"""
The number of alerts corresponding to each severity
"""
alertsPerSeverity: [SeriesWithBreakdown!]!
"""
The number of bytes that Panther ingested over the past year, for each individual log type
"""
bytesIngestedPerSource: [Series!]
"""
The number of bytes that Panther ingested over the queried time period, for each individual log type
"""
bytesProcessedPerSource: [SeriesWithBreakdown!]!
"""
The number of bytes that got queried via Panther for each individual source
"""
bytesQueriedPerSource: [SeriesWithBreakdown!]!
"""
The number of events that got processed for each log type
"""
eventsProcessedPerLogType: [SeriesWithBreakdown!]!
"""
The latency related to each log type
"""
latencyPerLogType: [Series!]
"""
The total number of alerts
"""
totalAlerts: Float!
"""
The total number of bytes that Panther ingested over the past year
"""
totalBytesIngested: Float!
"""
The total number of bytes that Panther ingested over the queried time period
"""
totalBytesProcessed: Float!
"""
The total number of bytes that got queried via Panther
"""
totalBytesQueried: Float!
"""
The total number of events (logs) that got processed
"""
totalEventsProcessed: Float!
}
"""
The top-level Mutation type. Mutations are used to make requests that create or modify data.
"""
type Mutation {
"""
Starts a detection rule replay inference in the background writing to inference stream, returns immediately
"""
aiReplayDetection(input: AIReplayDetectionInput!): AIInferenceStream!
"""
Starts inference in the background writing to inference stream, returns immediately
"""
aiSchemaInference(input: AISchemaInferenceInput!): AIInferenceStream!
"""
Starts an alert analysis inference in the background writing to inference stream, returns immediately
"""
aiSummarizeAlert(input: AISummarizeAlertInput!): AIInferenceStream!
"""
Starts a detection analysis inference in the background writing to inference stream, returns immediately
"""
aiSummarizeDetection(input: AISummarizeDetectionInput!): AIInferenceStream!
"""
Starts a log events analysis inference in the background writing to inference stream, returns immediately
"""
aiSummarizeLogEvents(input: AISummarizeLogEventsInput!): AIInferenceStream!
"""
Starts a query results analysis inference in the background writing to inference stream, returns immediately
"""
aiSummarizeQueryResults(input: AISummarizeQueryResultsInput!): AIInferenceStream!
"""
Cancels a running AI inference stream. The next per-fragment write from the
inference Lambda will fail its conditional check and unwind cleanly,
stopping the upstream model call. Idempotent: repeated calls are safe.
"""
cancelAIInferenceStream(input: CancelAIInferenceStreamInput!): AIInferenceStream!
"""
Cancels a data lake or indicator search query that's currently running
"""
cancelDataLakeQuery(input: CancelDataLakeQueryInput!): CancelDataLakeQueryOutput!
"""
Creates a comment on an Alert
"""
createAlertComment(input: CreateAlertCommentInput!): CreateAlertCommentOutput!
"""
Creates a Cloud Account
"""
createCloudAccount(input: CreateCloudAccountInput!): CreateCloudAccountOutput!
createOrUpdateSchema(input: CreateOrUpdateSchemaInput!): CreateOrUpdateSchemaOutput!
"""
Adds a new User role to Panther
"""
createRole(input: CreateRoleInput!): CreateRoleOutput!
"""
Creates an S3 Log Source
"""
createS3Source(input: CreateS3SourceInput!): CreateS3SourceOutput!
"""
Deletes a Cloud Account by ID
"""
deleteCloudAccount(input: DeleteCloudAccountInput!): DeleteCloudAccountOutput!
"""
Delete detections by ID
"""
deleteDetections(input: DeleteDetectionsInput!): DeleteDetectionsOutput!
"""
Deletes a user role
"""
deleteRole(input: DeleteRoleInput!): DeleteRoleOutput!
"""
Batch deletes a set of saved queries. Returns the names of the deleted queries.
"""
deleteSavedQueriesByName(input: DeleteSavedQueriesByNameInput!): DeleteSavedQueriesByNameOutput!
"""
Deletes a Log Source by ID
"""
deleteSource(input: DeleteSourceInput!): DeleteSourceOutput!
"""
Deletes a user
"""
deleteUser(input: DeleteUserInput!): DeleteUserOutput!
"""
Edits an inference stream
"""
editAIInferenceStream(input: EditAIInferenceStreamInput!): AIInferenceStream!
"""
Executes an SQL query against a selected data lake database
"""
executeDataLakeQuery(input: ExecuteDataLakeQueryInput!): ExecuteDataLakeQueryOutput!
"""
Executes an Indicator Search query against Panther's data lake
"""
executeIndicatorSearchQuery(
input: ExecuteIndicatorSearchQueryInput!
): ExecuteIndicatorSearchQueryOutput!
"""
Invites a new user
"""
inviteUser(input: InviteUserInput!): InviteUserOutput!
"""
Allows an API token to rotate itself without any additional permissions
"""
rotateAPIToken: RotateAPITokenOutput!
"""
Updates the status of one or more alerts via a list of IDs
"""
updateAlertStatusById(input: UpdateAlertStatusByIdInput!): UpdateAlertStatusByIdOutput!
"""
Updates the assignee of one or more alerts through the assignee's email
"""
updateAlertsAssigneeByEmail(
input: UpdateAlertsAssigneeByEmailInput!
): UpdateAlertsAssigneeByEmailOutput!
"""
Updates the assignee of one or more alerts through the the assignee's ID
"""
updateAlertsAssigneeById(input: UpdateAlertsAssigneeByIdInput!): UpdateAlertsAssigneeByIdOutput!
"""
Updates a Cloud Account
"""
updateCloudAccount(input: UpdateCloudAccountInput!): UpdateCloudAccountOutput!
"""
Updates a role's name or permissions
"""
updateRole(input: UpdateRoleInput!): UpdateRoleOutput!
"""
Updates an S3 Log Source
"""
updateS3Source(input: UpdateS3SourceInput!): UpdateS3SourceOutput!
updateSchemaStatus(input: UpdateSchemaStatusInput!): GetSchemaOutput!
"""
Updates the information for a user
"""
updateUser(input: UpdateUserInput!): UpdateUserOutput!
"""
Bulk updates detection entities via a base-64 encoded zip file
"""
uploadDetectionEntities(input: UploadDetectionEntitiesInput!): UploadDetectionEntitiesOutput
"""
Asynchronously bulk updates detection entities via a base-64 encoded zip file
"""
uploadDetectionEntitiesAsync(
input: UploadDetectionEntitiesAsyncInput!
): UploadDetectionEntitiesAsyncOutput
}
"""
T-shirt sizes for output
"""
enum OutputLength {
"""
Large output
"""
large
"""
Largest possible output
"""
largest
"""
Medium output
"""
medium
"""
Small output
"""
small
"""
Extra large output
"""
xlarge
"""
Extra small output
"""
xsmall
}
"""
The available permissions that an API Token or a Role (and thus a User) can hold
"""
enum Permission {
AIRunAsModify
AlertModify
AlertRead
BulkUpload
CloudsecSourceModify
CloudsecSourceRead
DataAnalyticsModify
DataAnalyticsRead
DestinationModify
DestinationRead
GeneralSettingsModify
GeneralSettingsRead
LogSourceModify
LogSourceRawDataRead
LogSourceRead
LookupModify
LookupRead
ManageAIResponses
NotificationsSend
OrganizationAPITokenModify
OrganizationAPITokenRead
PolicyModify
PolicyRead
ResourceModify
ResourceRead
RuleModify
RuleRead
RunPantherAI
SummaryRead
UserModify
UserRead
ViewAIPrivateResponses
}
"""
The top-level Query type. Queries are used to fetch data.
"""
type Query {
"""
Returns the output of an inference call (e.g., aiSummarizeLogEvents).
The streamId is the id of the stream where inference responses are written.
You may pass in the associated alias as the streamId.
Caller should poll until `finished` is true then check `error`.
"""
aiInferenceStream(streamId: String!): AIInferenceStream!
"""
Returns the results of a text search over all inference streams
"""
aiInferenceStreamTextSearch(
input: AIInferenceStreamTextSearchInput!
): AIInferenceStreamTextSearchResultList!
"""
Returns the metadata for up to 100 most recent inference streams by alias.
"""
aiInferenceStreamsMetadata(
input: AIInferenceStreamsMetadataInput!
): AIInferenceStreamsMetadataList!
"""
Returns the details of a Panther alert
"""
alert(id: ID!): Alert!
"""
Returns a filtered & paginated set of all Panther alerts.
"""
alerts(input: AlertsInput!): AlertsOutput!
"""
Returns a Cloud Account by ID
"""
cloudAccount(id: ID!): CloudAccount
"""
Returns all Cloud Accounts
"""
cloudAccounts(input: CloudAccountsInput): CloudAccountsOutput!
"""
Retrieves the details of a single data lake database
"""
dataLakeDatabase(name: String!): DataLakeDatabase!
"""
Retrieves the details of a table from a single data lake database
"""
dataLakeDatabaseTable(input: DataLakeDatabaseTableInput!): DataLakeDatabaseTable!
"""
Retrieves all tables from a single database
"""
dataLakeDatabaseTables(input: DataLakeDatabaseTablesInput!): DataLakeDatabaseTablesOutput!
"""
Lists the details of all available data lake databases
"""
dataLakeDatabases: [DataLakeDatabase!]!
"""
Returns a paginated list of all your previously executed data lake or indicator search queries
"""
dataLakeQueries(input: DataLakeQueriesInput): DataLakeQueriesOutput!
"""
Returns information about previously executed data lake or indicator search query. In the case of a query constructed through the query builder, specifying `root=true` will return the parent execution
"""
dataLakeQuery(id: ID!, root: Boolean = false): DataLakeQuery!
"""
Get the status of an asynchronous bulk upload of detection entities
"""
detectionEntitiesUploadStatus(receiptId: ID!): DetectionEntitiesUploadStatusOutput
"""
Returns Panther general settings
"""
generalSettings: GeneralSettingsConfig!
"""
Returns Data & Alert metrics about your Panther installation
"""
metrics(input: MetricsInput!): MetricsOutput!
"""
Returns a role matching the provided ID
"""
roleById(id: ID!): Role!
"""
Returns a role matching the provided case-insensitive name
"""
roleByName(name: String!): Role!
"""
Returns a list of Panther user roles
"""
roles(input: RolesInput): [Role!]!
schemas(input: SchemasInput!): SchemasOutput!
"""
Returns a Log Source by ID
"""
source(id: ID!): LogIntegration
"""
Returns all Log Sources
"""
sources(input: SourcesInput): SourcesOutput!
"""
Returns a single user by Email Address
"""
userByEmail(email: String!): User!
"""
Returns a single user by ID
"""
userById(id: ID!): User!
"""
Returns a list of Panther user accounts
"""
users: [User!]!
}
"""
The Panther component related to the System Error at hand
"""
enum RelatedComponent {
CLOUD_ACCOUNT
DESTINATION
DETECTION
ENRICHMENT
GIT_CONFIG
LOG_SOURCE
LOOKUP_TABLE
SAVED_QUERY
}
"""
A single risk or benign indicator with scoring information
"""
type RiskIndicator {
"""
Context weighting (0.0 to 1.0]
"""
contextWeighting: Float!
"""
Human-readable description of this indicator
"""
description: String!
"""
Evidence confidence (0.0 to 1.0]
"""
evidenceConfidence: Float!
"""
The risk score value (positive for risky, negative for benign)
"""
riskScore: Int!
"""
Temporal relevance (0.0 to 1.0]
"""
temporalRelevance: Float!
}
"""
Risk scoring evidence and analysis for an alert
"""
type RiskScoreEvidence {
"""
Formula used to calculate benign indicators score
"""
aggregateBenignIndicatorsFormula: String!
"""
Aggregate score for all benign indicators
"""
aggregateBenignIndicatorsScore: Float!
"""
Formula used to calculate risky indicators score
"""
aggregateRiskyIndicatorsFormula: String!
"""
Aggregate score for all risky indicators
"""
aggregateRiskyIndicatorsScore: Float!
"""
List of benign (low-risk) indicators
"""
benignIndicators: [RiskIndicator!]!
"""
Threshold at which the normalized score is classified as Benign (score <= threshold)
"""
benignThreshold: Float!
"""
Classification of the risk level (e.g., 'very_low_risk', 'low_risk', etc.)
"""
classification: String!
"""
Reasoning behind the classification
"""
classificationReasoning: String!
"""
Formula used to calculate normalized total risk score
"""
normalizedTotalRiskFormula: String!
"""
Normalized total risk score
"""
normalizedTotalRiskScore: Float!
"""
List of risky (high-risk) indicators
"""
riskyIndicators: [RiskIndicator!]!
"""
Threshold at which the normalized score is classified as Risky (score >= threshold)
"""
riskyThreshold: Float!
}
"""
The details of a Role entity in Panther
"""
type Role {
"""
Date and time when the Role got created
"""
createdAt: DateTime!
"""
The unique identifier of this Role
"""
id: ID!
"""
The set of log types the Role is allowed/denied access to, according to the `logTypeAccessKind` field.
Null if logTypeAccessKind is ALLOW_ALL or DENY_ALL.
"""
logTypeAccess: [String!]
"""
Indicates whether the Role is allowed or denied to query the selected log types
"""
logTypeAccessKind: LogTypeAccessKind!
"""
The name given to this Role
"""
name: String!
"""
The set of permissions associated with the Role (and it's holder)
"""
permissions: [Permission!]!
"""
Date and time when the Role got last updated
"""
updatedAt: Timestamp!
"""
The Actor that last updated this Role
"""
updatedBy: Actor
}
"""
The filter input to the Roles query
"""
input RolesInput {
"""
A string to search for in the Role name
"""
nameContains: String
"""
The sort direction of the results
"""
sortDir: SortDirEnum
}
"""
The output of rotating an API token
"""
type RotateAPITokenOutput {
"""
The rotated API token
"""
token: APIToken
}
"""
Represents an S3 Log Source Integration
"""
type S3LogIntegration implements LogIntegration {
"""
The ID of the AWS Account where the S3 Bucket is located
"""
awsAccountId: String!
"""
The time the S3 Log Source was created
"""
createdAtTime: DateTime!
"""
The actor who created the S3 Log Source
"""
createdBy: Actor
"""
The ID of the Log Source integration
"""
integrationId: ID!
"""
The name of the Log Source integration
"""
integrationLabel: String!
"""
The type of Log Source integration
"""
integrationType: String!
"""
True if the Log Source can be modified
"""
isEditable: Boolean!
"""
True if the Log Source is healthy
"""
isHealthy: Boolean!
"""
KMS key used to access the S3 Bucket
"""
kmsKey: String
"""
The timestamp of the last event processed
"""
lastEventProcessedAtTime: DateTime
"""
The timestamp of the last event received
"""
lastEventReceivedAtTime: DateTime
"""
The time the log source was last modified
"""
lastModified: DateTime
"""
The AWS Role used to access the S3 Bucket
"""
logProcessingRole: String
"""
The format of the log files being ingested
"""
logStreamType: LogStreamType
"""
Options for the log stream type
"""
logStreamTypeOptions: LogStreamTypeOptions
"""
The log types being ingested
"""
logTypes: [String!]!
"""
True if bucket notifications are being managed by Panther
"""
managedBucketNotifications: Boolean!
"""
The S3 Bucket name being ingested
"""
s3Bucket: String!
"""
The prefix on the S3 Bucket name being ingested
"""
s3Prefix: String
"""
Used to map prefixes to log types
"""
s3PrefixLogTypes: [S3PrefixLogTypes!]!
"""
The AWS stack name where Panther's log ingestion infrastructure is deployed
"""
stackName: String!
}
"""
Mapping of S3 prefixes to log types
"""
type S3PrefixLogTypes {
"""
S3 Prefixes to exclude
"""
excludedPrefixes: [String!]!
"""
Log types to map to prefix
"""
logTypes: [String!]!
"""
S3 Prefix to map to log types
"""
prefix: String!
}
"""
Mapping of S3 prefixes to log types
"""
input S3PrefixLogTypesInput {
"""
S3 Prefixes to exclude
"""
excludedPrefixes: [String!]!
"""
Log types to map to prefix
"""
logTypes: [String!]!
"""
S3 Prefix to map to log types
"""
prefix: String!
}
"""
Metadata that represents a schema
"""
type Schema {
"""
The time the schema was created
"""
createdAt: String!
"""
The description of the schema
"""
description: String
"""
The schema discovered spec
"""
discoveredSpec: String!
"""
True if the schema is archived
"""
isArchived: Boolean!
"""
A boolean indicating whether the automatic schema field discovery feature is enabled
"""
isFieldDiscoveryEnabled: Boolean!
"""
True if the schema is managed by a pack
"""
isManaged: Boolean!
"""
The name of the schema
"""
name: String!
"""
An optional field that can be used to reference documentation related to the schema
"""
referenceURL: String
"""
Revision number for the schema
"""
revision: Int!
"""
The schema spec in YAML or JSON format
"""
spec: String!
"""
The time the schema was last updated
"""
updatedAt: String
"""
The Version of the Schema. This is automatically incremented with every in-place change of the schema.
"""
version: Int!
}
"""
The payload to the `schemas` query
"""
input SchemasInput {
"""
Filter by name or by schema field name
"""
contains: String
"""
An opaque string used when paginating across multiple pages of results
Currently, pagination is not supported and this value will always be null
"""
cursor: String
"""
Filter by archive status. Leave empty to return all schemas
"""
isArchived: Boolean
"""
Filter used/not used schemas. Leave empty to return all schemas
"""
isInUse: Boolean
"""
Filter by pack managed schemas
"""
isManaged: Boolean
}
"""
The response of the 'schemas' query
"""
type SchemasOutput {
"""
A list of paginated schema edges
"""
edges: [SchemasOutputEdge!]!
"""
Metadata around this page of results
Currently, Schemas will only return 1 page of results
"""
pageInfo: SchemasOutputPageInfo!
}
"""
The edge shape of the `SchemaOutput` type
"""
type SchemasOutputEdge {
"""
A schema node
"""
node: Schema!
}
"""
The metadata around a page of results for the `schemas` query
"""
type SchemasOutputPageInfo {
"""
The cursor that the next page of results should start from or `null` if this is the last page
"""
endCursor: String
"""
A boolean indicating whether more results exist
"""
hasNextPage: Boolean!
"""
A boolean indicating whether this is the first page of results or not
"""
hasPreviousPage: Boolean!
"""
The cursor that this page of results started from or `null` if this is the first page
"""
startCursor: String
}
"""
A simple series represented as a label/value pair
"""
type Series {
"""
The label of this particular value
"""
label: String!
"""
The value for the label above
"""
value: Float!
}
"""
Same as `Series` with the addition of a timestamp breakdown. Useful for plotting charts.
"""
type SeriesWithBreakdown {
"""
A key/value pair that breaks down the `value` field to its constituents. Each key is a timestamp and each value is a
fraction of the (total) `value` above
"""
breakdown: JSON!
"""
The label of this particular value
"""
label: String!
"""
The (total) value for the label above
"""
value: Float!
}
"""
Same as `Series` with the addition of an Panther Entity ID. The ID can be mapped to any Panther entity, depending on the
field that uses the type
"""
type SeriesWithEntityID {
"""
The ID of an entity. Could be a Detection ID, a Resource ID, an Alert ID, etc. depending on the field that uses this
particular type
"""
entityId: ID!
"""
The label of this particular value
"""
label: String!
"""
The value for the label above
"""
value: Float!
}
"""
The available severity levels that can be associated with a detection or an alert
"""
enum Severity {
CRITICAL
HIGH
INFO
LOW
MEDIUM
}
"""
The highlight of a search result snippet
"""
type SnippetHighlight {
"""
The begin offset of the highlight (zero-based)
"""
beginOffset: Int!
"""
The end offset of the highlight (zero-based)
"""
endOffset: Int!
}
"""
Search result snippet of the matching text with highlights
"""
type SnippetWithHighlights {
"""
The highlights of the snippet
"""
highlights: [SnippetHighlight!]
"""
The text of the snippet
"""
text: String!
}
"""
The available sorting direction on a listing operation
"""
enum SortDirEnum {
ascending
descending
}
"""
Input for the sources query
"""
input SourcesInput {
cursor: String
}
"""
Output for the sources query
"""
type SourcesOutput {
"""
A list of paginated log source edges
"""
edges: [SourcesOutputEdge!]!
"""
Metadata around this page of results
"""
pageInfo: CursorBasedPaginationPageInfo!
}
"""
The edge shape of the `LogIntegration` source type
"""
type SourcesOutputEdge {
"""
A Log Source integration Node
"""
node: LogIntegration!
}
"""
The details of a System Error in Panther
"""
type SystemError {
"""
The component related to the particular system error
"""
relatedComponent: RelatedComponent!
"""
The type of this system error
"""
type: SystemErrorType!
}
"""
The types of system errors that Panther supports
"""
enum SystemErrorType {
ALERT_DELIVERY
DETECTION_ALERT_LIMIT_EXCEEDED
GIT_BULK_UPLOAD_FAILED
SOURCE_CLASSIFICATION_FAILURES
SOURCE_LOG_PROCESSING_ERRORS
SOURCE_NO_DATA
SOURCE_PERMISSIONS_CHECKS
SOURCE_SCANNING_ERRORS
}
"""
An [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601#Times) timestamp in UTC.
"""
scalar Timestamp
"""
The payload to the `updateAlertStatusById` mutation
"""
input UpdateAlertStatusByIdInput {
"""
A list of alert IDs to update the status for
"""
ids: [ID!]!
"""
The new/updated status that those alerts should have
"""
status: AlertStatus!
}
"""
The response of the updateAlertStatusById mutation
"""
type UpdateAlertStatusByIdOutput {
alerts: [Alert!]!
}
"""
The payload to the `updateAlertsAssigneeById` mutation.
"""
input UpdateAlertsAssigneeByEmailInput {
"""
If `assigneeEmail` is not provided, the alert is considered `Unassigned`.
"""
assigneeEmail: String
"""
A list of AlertIds that we are updating.
"""
ids: [ID!]!
}
"""
The response of the updateAlertsAssigneeByEmail mutation
"""
type UpdateAlertsAssigneeByEmailOutput {
alerts: [Alert!]!
}
"""
The payload to the `updateAlertsAssigneeById` mutation.
"""
input UpdateAlertsAssigneeByIdInput {
"""
If `assigneeId` is not provided, the alert is considered `Unassigned`.
"""
assigneeId: ID
"""
A list of AlertIds that we are updating.
"""
ids: [ID!]!
}
"""
The response of the updateAlertsAssigneeById mutation
"""
type UpdateAlertsAssigneeByIdOutput {
alerts: [Alert!]!
}
"""
Input for the UpdateCloudAccount mutation
"""
input UpdateCloudAccountInput {
"""
Regions to be ignored by scans of this cloud account
"""
awsRegionIgnoreList: [String!]
"""
Scan configuration options
"""
awsScanConfig: AWSScanConfigInput!
"""
The ID of the cloud account integration
"""
id: String!
"""
Label applied to the Cloud Account integration
"""
label: String!
"""
Resources that match this regex will be ignored by scans of this cloud account
"""
resourceRegexIgnoreList: [String!]
"""
Resource types to be ignored by scans of this cloud account
"""
resourceTypeIgnoreList: [String!]
}
"""
Output for the updateCloudAccount mutation
"""
type UpdateCloudAccountOutput {
"""
The cloud account after updates have been applied
"""
cloudAccount: CloudAccount!
}
"""
The input to the updateRole mutation
"""
input UpdateRoleInput {
"""
The ID of the role to update
"""
id: ID!
"""
The log types that the role can or cannot access, according to the `logTypeAccessKind` field. This field should be omitted if `logTypeAccessKind` has a value of `ALLOW_ALL` or `DENY_ALL`
"""
logTypeAccess: [String!]
"""
Defines the role's access to log types. This field is required and has effect only if the datalake RBAC feature is enabled.
"""
logTypeAccessKind: LogTypeAccessKind
"""
A new name for the role
"""
name: String
"""
An array of the role's new permissions
"""
permissions: [Permission!]
}
"""
The output to the updateRole mutation
"""
type UpdateRoleOutput {
"""
The updated role
"""
role: Role!
}
"""
Input for the updateS3Source mutation
"""
input UpdateS3SourceInput {
"""
The Id of the S3 Log Source
"""
id: String!
"""
The KMS key ARN. Only necessary if your bucket has KMS encryption
"""
kmsKey: String!
"""
The label of the S3 Log Source
"""
label: String!
"""
The IAM role ARN that Panther will assume to process data from this S3 bucket
"""
logProcessingRole: String!
"""
The stream type of the S3 Log Source
"""
logStreamType: LogStreamType!
"""
Options for the log stream type
"""
logStreamTypeOptions: LogStreamTypeOptionsInput
"""
True if bucket notifications should be managed by Panther
"""
managedBucketNotifications: Boolean!
"""
The S3 prefix settings of the S3 Log Source
"""
s3PrefixLogTypes: [S3PrefixLogTypesInput!]!
}
"""
Output for the updateS3LogSource mutation
"""
type UpdateS3SourceOutput {
logSource: S3LogIntegration!
}
"""
The payload to the `updateSchemaStatus` mutation
Used to toggle the archive state of a Custom Schema
"""
input UpdateSchemaStatusInput {
"""
The new archive state of the schema
"""
isArchived: Boolean!
"""
The name of the Custom Schema
"""
name: String!
}
"""
The input to the updateUser query
"""
input UpdateUserInput {
"""
The email address of the User
"""
email: Email
"""
The family/last Name of the User
"""
familyName: String
"""
The given/first name of the User
"""
givenName: String
"""
The unique identifier of this User
"""
id: ID!
"""
The ID or Name of the User's role
"""
role: UserRoleInput
}
"""
The return value of the Update User mutation
"""
type UpdateUserOutput {
"""
The updated Panther User object
"""
user: User!
}
"""
The payload to the `uploadDetectionEntitiesAsync` mutation
"""
input UploadDetectionEntitiesAsyncInput {
"""
Base64-encoded zipfile (up to 5MB) containing detection entities
"""
data: String!
"""
When true, the upload will be a dry run and no changes will be made
It is only applicable for the V2_ZIP mode
"""
dryRun: Boolean = false
"""
The mode of the upload. Defaults to CLASSIC_ZIP
"""
mode: UploadDetectionEntitiesMode = CLASSIC_ZIP
"""
Version of the panther_analysis_tool being used to upload
"""
patVersion: String
"""
Version of the pypanther tool being used to upload
"""
pypantherVersion: String
}
"""
The response of the `uploadDetectionEntitiesAsync` mutation
"""
type UploadDetectionEntitiesAsyncOutput {
"""
The receipt ID that can be used to check on the status of the upload
"""
receiptId: ID!
}
"""
The payload to the `uploadDetectionEntities` mutation
"""
input UploadDetectionEntitiesInput {
"""
Base64-encoded zipfile (up to 5MB) containing detection entities
"""
data: String!
"""
The mode of the upload. Defaults to CLASSIC_ZIP
"""
mode: UploadDetectionEntitiesMode = CLASSIC_ZIP
}
"""
The different modes available for uploading Detection entities
"""
enum UploadDetectionEntitiesMode {
"""
Classic ZIP file upload
"""
CLASSIC_ZIP
"""
V2 of the detection content, with class based detections
"""
V2_ZIP
}
"""
The response of the `uploadDetectionEntities` mutation
"""
type UploadDetectionEntitiesOutput {
correlationRules: UploadStatistics!
dataModels: UploadStatistics!
globalHelpers: UploadStatistics!
lookupTables: UploadStatistics!
policies: UploadStatistics!
queries: UploadStatistics!
rules: UploadStatistics!
skills: UploadStatistics!
}
"""
The statistics about entities uploaded
"""
type UploadStatistics {
"""
The number of items deleted
"""
deleted: Int!
"""
The IDs of the items deleted
"""
deletedIds: [ID!]
"""
The number of items modified
"""
modified: Int!
"""
The IDs of the items modified
"""
modifiedIds: [ID!]
"""
The number of items added
"""
new: Int!
"""
The IDs of the items added
"""
newIds: [ID!]
"""
The total number of items uploaded
"""
total: Int!
"""
The IDs of the total items uploaded
"""
totalIds: [ID!]
}
"""
The different modes available for uploading Detection entities
"""
enum UploadStatus {
"""
The detection entities upload has completed
"""
COMPLETED
"""
The detection entities upload has failed
"""
FAILED
"""
The detection entities upload has not yet been processed
"""
NOT_PROCESSED
}
"""
The details around a physical User entity in Panther
"""
type User {
"""
Date and time when the User got created
"""
createdAt: DateTime!
"""
The email address of the User
"""
email: Email!
"""
Whether the user is active or deactivated.
"""
enabled: Boolean!
"""
The family/last name of the User
"""
familyName: String
"""
The given/first name of the User
"""
givenName: String
"""
The unique identifier of this User
"""
id: ID!
"""
Date and time when the User last logged in. This value is null if the user has never logged in.
"""
lastLoggedInAt: DateTime
"""
The details of the Role that this User has
"""
role: Role!
"""
The Cognito auth-related status of this User
"""
status: String!
}
"""
The input to select a role by either ID or Name
"""
input UserRoleInput {
"""
The role field to search by
"""
kind: UserRoleInputKind!
"""
The value of the role field
"""
value: String!
}
"""
The role field to search by
"""
enum UserRoleInputKind {
ID
NAME
}