panther-labs · billyjbryant · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025
@@ -0,0 +1,90 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "panther_policy Resource - terraform-provider-panther"
+subcategory: ""
+description: |-
+
+---
+
+# panther_policy (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# Manage cloud security policy for resource compliance
+resource "panther_policy" "example" {
+  display_name = "S3 Bucket Encryption Policy"
+  body         = <<-EOT
+    def policy(resource):
+        # Check if S3 bucket has encryption enabled
+        encryption = resource.get('EncryptionConfiguration', {})
+        rules = encryption.get('Rules', [])
+        return len(rules) > 0
+  EOT
+  severity     = "MEDIUM"
+  description  = "Ensures S3 buckets have encryption enabled"
+  enabled      = true
+
+  resource_types = [
+    "AWS.S3.Bucket"
+  ]
+
+  tags = [
+    "compliance",
+    "encryption"
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `body` (String) The python body of the policy
+- `severity` (String)
+
+### Optional
+
+- `description` (String) The description of the policy
+- `display_name` (String) The display name of the policy
+- `enabled` (Boolean) Determines whether or not the policy is active
+- `managed` (Boolean) Determines if the policy is managed by panther
+- `output_ids` (List of String) Destination IDs that override default alert routing based on severity
+- `reports` (Map of List of String) Reports
+- `resource_types` (List of String) Resource types
+- `suppressions` (List of String) Resources to ignore via a pattern that matches the resource id
+- `tags` (List of String) The tags for the policy
+- `tests` (Attributes List) Unit tests for the Policy. Best practice is to include a positive and negative case (see [below for nested schema](#nestedatt--tests))
+
+### Read-Only
+
+- `created_at` (String)
+- `created_by` (Attributes) The actor who created the rule (see [below for nested schema](#nestedatt--created_by))
+- `created_by_external` (String) The text of the user-provided CreatedBy field when uploaded via CI/CD
+- `id` (String) The ID of this resource.
+- `last_modified` (String)
+
+<a id="nestedatt--tests"></a>
+### Nested Schema for `tests`
+
+Required:
+
+- `expected_result` (Boolean) The expected result
+- `name` (String) name
+- `resource` (String) resource
+
+Optional:
+
+- `mocks` (List of Map of String) mocks
+
+
+<a id="nestedatt--created_by"></a>
+### Nested Schema for `created_by`
+
+Read-Only:
+
+- `id` (String)
+- `type` (String)
@@ -0,0 +1,87 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "panther_rule Resource - terraform-provider-panther"
+subcategory: ""
+description: |-
+
+---
+
+# panther_rule (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# Manage detection rule for log analysis
+resource "panther_rule" "example" {
+  display_name         = ""
+  body                 = ""
+  severity             = ""
+  description          = ""
+  enabled              = true
+  dedup_period_minutes = 60
+  log_types = [
+    ""
+  ]
+  tags = [
+    ""
+  ]
+  runbook = ""
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `body` (String) The python body of the rule
+- `severity` (String)
+
+### Optional
+
+- `dedup_period_minutes` (Number) The amount of time in minutes for grouping alerts
+- `description` (String) The description of the rule
+- `display_name` (String) The display name of the rule
+- `enabled` (Boolean) Determines whether or not the rule is active
+- `inline_filters` (String) The filter for the rule represented in YAML
+- `log_types` (List of String) log types
+- `managed` (Boolean) Determines if the rule is managed by panther
+- `output_ids` (List of String) Destination IDs that override default alert routing based on severity
+- `reports` (Map of List of String) reports
+- `runbook` (String) How to handle the generated alert
+- `summary_attributes` (List of String) A list of fields in the event to create top 5 summaries for
+- `tags` (List of String) The tags for the rule
+- `tests` (Attributes List) Unit tests for the Rule. Best practice is to include a positive and negative case (see [below for nested schema](#nestedatt--tests))
+- `threshold` (Number) the number of events that must match before an alert is triggered
+
+### Read-Only
+
+- `created_at` (String)
+- `created_by` (Attributes) The actor who created the rule (see [below for nested schema](#nestedatt--created_by))
+- `created_by_external` (String) The text of the user-provided CreatedBy field when uploaded via CI/CD
+- `id` (String) The ID of this resource.
+- `last_modified` (String)
+
+<a id="nestedatt--tests"></a>
+### Nested Schema for `tests`
+
+Required:
+
+- `expected_result` (Boolean) The expected result
+- `name` (String) name
+- `resource` (String) resource
+
+Optional:
+
+- `mocks` (List of Map of String) mocks
+
+
+<a id="nestedatt--created_by"></a>
+### Nested Schema for `created_by`
+
+Read-Only:
+
+- `id` (String)
+- `type` (String)
@@ -0,0 +1,96 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "panther_scheduled_rule Resource - terraform-provider-panther"
+subcategory: ""
+description: |-
+
+---
+
+# panther_scheduled_rule (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# Manage scheduled detection rule for query results
+resource "panther_scheduled_rule" "example" {
+  display_name         = "High Volume Failed Logins"
+  body                 = <<-EOT
+    def rule(event):
+        # Check if query results exceed threshold
+        failed_count = event.get('failed_login_count', 0)
+        return failed_count > 10
+  EOT
+  severity             = "HIGH"
+  description          = "Detects high volume of failed login attempts from scheduled query"
+  enabled              = true
+  dedup_period_minutes = 60
+  threshold            = 1
+
+  scheduled_queries = [
+    "failed-login-aggregation-query"
+  ]
+
+  tags = [
+    "authentication",
+    "security"
+  ]
+
+  runbook = "Investigate the source IPs and user accounts for potential brute force attacks"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `body` (String) The python body of the scheduled rule
+- `severity` (String)
+
+### Optional
+
+- `dedup_period_minutes` (Number) The amount of time in minutes for grouping alerts
+- `description` (String) The description of the scheduled rule
+- `display_name` (String) The display name of the scheduled rule
+- `enabled` (Boolean) Determines whether or not the scheduled rule is active
+- `managed` (Boolean) Determines if the scheduled rule is managed by panther
+- `output_ids` (List of String) Destination IDs that override default alert routing based on severity
+- `reports` (Map of List of String) reports
+- `runbook` (String) How to handle the generated alert
+- `scheduled_queries` (List of String) the queries that this scheduled rule utilizes
+- `summary_attributes` (List of String) A list of fields in the event to create top 5 summaries for
+- `tags` (List of String) The tags for the scheduled rule
+- `tests` (Attributes List) Unit tests for the Rule. Best practice is to include a positive and negative case (see [below for nested schema](#nestedatt--tests))
+- `threshold` (Number) the number of events that must match before an alert is triggered
+
+### Read-Only
+
+- `created_at` (String)
+- `created_by` (Attributes) The actor who created the rule (see [below for nested schema](#nestedatt--created_by))
+- `created_by_external` (String) The text of the user-provided CreatedBy field when uploaded via CI/CD
+- `id` (String) The ID of this resource.
+- `last_modified` (String)
+
+<a id="nestedatt--tests"></a>
+### Nested Schema for `tests`
+
+Required:
+
+- `expected_result` (Boolean) The expected result
+- `name` (String) name
+- `resource` (String) resource
+
+Optional:
+
+- `mocks` (List of Map of String) mocks
+
+
+<a id="nestedatt--created_by"></a>
+### Nested Schema for `created_by`
+
+Read-Only:
+
+- `id` (String)
+- `type` (String)
@@ -0,0 +1,114 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "panther_simple_rule Resource - terraform-provider-panther"
+subcategory: ""
+description: |-
+
+---
+
+# panther_simple_rule (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# Manage simple detection rule with YAML-based detection
+resource "panther_simple_rule" "example" {
+  display_name         = "AWS Console Login Detection"
+  detection            = <<-EOT
+    MatchFilters:
+      - Key: eventName
+        Condition: Equals
+        Values:
+          - ConsoleLogin
+      - Key: userIdentity.type
+        Condition: Equals
+        Values:
+          - IAMUser
+  EOT
+  severity             = "CRITICAL"
+  description          = "Detects AWS console login events from IAM users"
+  enabled              = true
+  dedup_period_minutes = 60
+  threshold            = 1
+
+  log_types = [
+    "AWS.CloudTrail"
+  ]
+
+  tags = [
+    "authentication",
+    "aws"
+  ]
+
+  alert_title   = "AWS Console Login: {{p_any_aws_account_ids}}"
+  alert_context = <<-EOT
+    User: {{userIdentity.userName}}
+    Source IP: {{sourceIPAddress}}
+  EOT
+
+  runbook = "Verify the login is legitimate and investigate if from unexpected location"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `detection` (String) The yaml representation of the rule
+- `severity` (String)
+
+### Optional
+
+- `alert_context` (String) The alert context represented in YAML
+- `alert_title` (String) The alert title represented in YAML
+- `dedup_period_minutes` (Number) The amount of time in minutes for grouping alerts
+- `description` (String) The description of the rule
+- `display_name` (String) The display name of the rule
+- `dynamic_severities` (String) The dynamic severity represented in YAML
+- `enabled` (Boolean) Determines whether or not the rule is active
+- `group_by` (String) The key on an event to group by represented in YAML
+- `includepython` (Boolean) determines if associated python for the generated rule is returned
+- `inline_filters` (String) The filter for the rule represented in YAML
+- `log_types` (List of String) log types
+- `managed` (Boolean) Determines if the simple rule is managed by panther
+- `output_ids` (List of String) Destination IDs that override default alert routing based on severity
+- `python_body` (String) The python body of the rule
+- `reports` (Map of List of String) reports
+- `runbook` (String) How to handle the generated alert
+- `summary_attributes` (List of String) A list of fields in the event to create top 5 summaries for
+- `tags` (List of String) The tags for the simple rule
+- `tests` (Attributes List) Unit tests for the Rule. Best practice is to include a positive and negative case (see [below for nested schema](#nestedatt--tests))
+- `threshold` (Number) the number of events that must match before an alert is triggered
+
+### Read-Only
+
+- `created_at` (String)
+- `created_by` (Attributes) The actor who created the rule (see [below for nested schema](#nestedatt--created_by))
+- `created_by_external` (String) The text of the user-provided CreatedBy field when uploaded via CI/CD
+- `id` (String) The ID of this resource.
+- `last_modified` (String)
+
+<a id="nestedatt--tests"></a>
+### Nested Schema for `tests`
+
+Required:
+
+- `expected_result` (Boolean) The expected result
+- `name` (String) name
+- `resource` (String) resource
+
+Optional:
+
+- `mocks` (List of Map of String) mocks
+
+
+<a id="nestedatt--created_by"></a>
+### Nested Schema for `created_by`
+
+Read-Only:
+
+- `id` (String)
+- `type` (String)