# 룰 ## 개요 이러한 API 작업을 사용하여 상호작용합니다 [룰](https://docs.panther.com/ko/detections/rules) Panther에서. 룰 API 엔터티는 다음에만 적용됩니다 [Python 룰](https://docs.panther.com/ko/detections/rules/python)로 생성된 룰과 상호작용하려면 [Simple/YAML](https://docs.panther.com/ko/detections#simple-detections) 룰, 참조: [단순 룰](https://docs.panther.com/ko/panther/api/rest/simple-rules). API를 호출하려면, 다음을 참조하세요 [Panther REST API 사용 방법](https://docs.panther.com/ko/panther/api/rest/..#how-to-use-the-panther-rest-api) 지침—포함하여 [이 문서 페이지에서 직접 호출하는 방법에 대한 지침](https://docs.panther.com/ko/panther/api/rest/..#step-3-invoke-the-panther-rest-api). ## 필수 권한 * 에 대해 `GET` 작업의 경우, API 토큰에는 `룰 보기` 권한이 있어야 합니다. * 에 대해 `POST`, `PUT`그리고 `DELETE` 작업의 경우, API 토큰에는 `룰 관리` 권한이 있어야 합니다. ## 작업 {% hint style="info" %} 아래의 API 엔드포인트는 Python 기반 룰 전용입니다. 다른 디텍션 유형과 상호작용하려면 해당 페이지를 참조하세요: [스케줄된 룰](https://docs.panther.com/panther-developer-workflows/api/rest/scheduled-rules), [간단한 디텍션](https://docs.panther.com/panther-developer-workflows/api/rest/simple-rules)그리고 [클라우드 정책](https://docs.panther.com/panther-developer-workflows/api/rest/policies). {% endhint %} ## POST /rules > create rule ```json {"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"rule","description":"The rule api handles all operations for rules"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"RuleAPI.ModifyRule":{"type":"object","properties":{"body":{"type":"string","description":"The python body of the rule"},"createAlert":{"type":"boolean","description":"Determines whether the rule should create alerts when it triggers"},"dedupPeriodMinutes":{"type":"integer","description":"The amount of time in minutes for grouping alerts","default":60,"format":"int64","minimum":1},"description":{"type":"string","description":"The description of the rule"},"displayName":{"type":"string","description":"The display name of the rule"},"enabled":{"type":"boolean","description":"Determines whether or not the rule is active"},"id":{"type":"string","description":"The id of the rule"},"inlineFilters":{"type":"string","description":"The filter for the rule represented in YAML"},"logTypes":{"type":"array","items":{"type":"string"},"description":"log types"},"managed":{"type":"boolean","description":"Determines if the rule is managed by panther"},"outputIDs":{"type":"array","items":{"type":"string"},"description":"Destination IDs that override default alert routing based on severity"},"reference":{"type":"string","description":"A URL or note for additional reference material"},"reports":{"type":"object","description":"reports","additionalProperties":{"items":{"type":"string"},"type":"array"}},"runbook":{"type":"string","description":"How to handle the generated alert"},"severity":{"type":"string","enum":["INFO","LOW","MEDIUM","HIGH","CRITICAL"]},"summaryAttributes":{"type":"array","items":{"type":"string"},"description":"A list of fields in the event to create top 5 summaries for"},"tags":{"type":"array","items":{"type":"string"},"description":"The tags for the rule"},"tests":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTest"},"description":"Unit tests for the Rule. Best practice is to include a positive and negative case"},"threshold":{"type":"integer","description":"the number of events that must match before an alert is triggered","default":1,"format":"int64","minimum":1}},"required":["id","body","severity"]},"RuleAPI.UnitTest":{"type":"object","properties":{"expectedResult":{"type":"boolean","description":"The expected result"},"mocks":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTestMock"},"description":"mocks"},"name":{"type":"string","description":"name"},"resource":{"type":"string","description":"resource"}},"required":["name","resource","expectedResult"]},"RuleAPI.UnitTestMock":{"type":"object","additionalProperties":{"type":"string"}},"RuleAPI.Rule":{"type":"object","properties":{"body":{"type":"string","description":"The python body of the rule"},"createAlert":{"type":"boolean","description":"Determines whether the rule should create alerts when it triggers"},"createdAt":{"type":"string"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the rule"},"createdByExternal":{"type":"string","description":"The text of the user-provided CreatedBy field when uploaded via CI/CD"},"dedupPeriodMinutes":{"type":"integer","description":"The amount of time in minutes for grouping alerts","default":60,"format":"int64","minimum":1},"description":{"type":"string","description":"The description of the rule"},"displayName":{"type":"string","description":"The display name of the rule"},"enabled":{"type":"boolean","description":"Determines whether or not the rule is active"},"id":{"type":"string","description":"The id of the rule"},"inlineFilters":{"type":"string","description":"The filter for the rule represented in YAML"},"lastModified":{"type":"string"},"logTypes":{"type":"array","items":{"type":"string"},"description":"log types"},"managed":{"type":"boolean","description":"Determines if the rule is managed by panther"},"outputIDs":{"type":"array","items":{"type":"string"},"description":"Destination IDs that override default alert routing based on severity"},"reference":{"type":"string","description":"A URL or note for additional reference material"},"reports":{"type":"object","description":"reports","additionalProperties":{"items":{"type":"string"},"type":"array"}},"runbook":{"type":"string","description":"How to handle the generated alert"},"severity":{"type":"string","enum":["INFO","LOW","MEDIUM","HIGH","CRITICAL"]},"summaryAttributes":{"type":"array","items":{"type":"string"},"description":"A list of fields in the event to create top 5 summaries for"},"tags":{"type":"array","items":{"type":"string"},"description":"The tags for the rule"},"tests":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTest"},"description":"Unit tests for the Rule. Best practice is to include a positive and negative case"},"threshold":{"type":"integer","description":"the number of events that must match before an alert is triggered","default":1,"format":"int64","minimum":1}}},"RuleAPI.BadRequestWithTestResultsErr":{"type":"object","properties":{"message":{"type":"string"},"testResults":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.TestDetectionRecord"}}},"required":["message"]},"RuleAPI.TestDetectionRecord":{"type":"object","properties":{"error":{"$ref":"#/components/schemas/RuleAPI.TestErr"},"errored":{"type":"boolean"},"functions":{"$ref":"#/components/schemas/RuleAPI.TestDetectionRecordFunctions"},"name":{"type":"string"},"passed":{"type":"boolean"},"triggerAlert":{"type":"boolean"}}},"RuleAPI.TestErr":{"type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}},"RuleAPI.TestDetectionRecordFunctions":{"type":"object","properties":{"alertContext":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"dedup":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"description":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"destinations":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"detection":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"reference":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"runbook":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"severity":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"title":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"}}},"RuleAPI.TestDetectionSubRecord":{"type":"object","properties":{"error":{"$ref":"#/components/schemas/RuleAPI.TestErr"},"output":{"type":"string"}}},"RuleAPI.ExistsError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/rules":{"post":{"tags":["rule"],"summary":"create rule","operationId":"rule#create","parameters":[{"name":"run-tests-first","in":"query","description":"set this field to false to exclude running tests prior to saving","allowEmptyValue":true,"schema":{"type":"boolean","description":"set this field to false to exclude running tests prior to saving","default":true}},{"name":"run-tests-only","in":"query","description":"set this field to true if you want to run tests without saving","allowEmptyValue":true,"schema":{"type":"boolean","description":"set this field to true if you want to run tests without saving","default":false}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.ModifyRule"}}}},"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.Rule"}}}},"204":{"description":"No Content response."},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.BadRequestWithTestResultsErr"}}}},"409":{"description":"exists: Conflict response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.ExistsError"}}}}}}}}} ``` ## GET /rules/{id} > get rule ```json {"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"rule","description":"The rule api handles all operations for rules"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"RuleAPI.Rule":{"type":"object","properties":{"body":{"type":"string","description":"The python body of the rule"},"createAlert":{"type":"boolean","description":"Determines whether the rule should create alerts when it triggers"},"createdAt":{"type":"string"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the rule"},"createdByExternal":{"type":"string","description":"The text of the user-provided CreatedBy field when uploaded via CI/CD"},"dedupPeriodMinutes":{"type":"integer","description":"The amount of time in minutes for grouping alerts","default":60,"format":"int64","minimum":1},"description":{"type":"string","description":"The description of the rule"},"displayName":{"type":"string","description":"The display name of the rule"},"enabled":{"type":"boolean","description":"Determines whether or not the rule is active"},"id":{"type":"string","description":"The id of the rule"},"inlineFilters":{"type":"string","description":"The filter for the rule represented in YAML"},"lastModified":{"type":"string"},"logTypes":{"type":"array","items":{"type":"string"},"description":"log types"},"managed":{"type":"boolean","description":"Determines if the rule is managed by panther"},"outputIDs":{"type":"array","items":{"type":"string"},"description":"Destination IDs that override default alert routing based on severity"},"reference":{"type":"string","description":"A URL or note for additional reference material"},"reports":{"type":"object","description":"reports","additionalProperties":{"items":{"type":"string"},"type":"array"}},"runbook":{"type":"string","description":"How to handle the generated alert"},"severity":{"type":"string","enum":["INFO","LOW","MEDIUM","HIGH","CRITICAL"]},"summaryAttributes":{"type":"array","items":{"type":"string"},"description":"A list of fields in the event to create top 5 summaries for"},"tags":{"type":"array","items":{"type":"string"},"description":"The tags for the rule"},"tests":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTest"},"description":"Unit tests for the Rule. Best practice is to include a positive and negative case"},"threshold":{"type":"integer","description":"the number of events that must match before an alert is triggered","default":1,"format":"int64","minimum":1}}},"RuleAPI.UnitTest":{"type":"object","properties":{"expectedResult":{"type":"boolean","description":"The expected result"},"mocks":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTestMock"},"description":"mocks"},"name":{"type":"string","description":"name"},"resource":{"type":"string","description":"resource"}},"required":["name","resource","expectedResult"]},"RuleAPI.UnitTestMock":{"type":"object","additionalProperties":{"type":"string"}},"RuleAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/rules/{id}":{"get":{"tags":["rule"],"summary":"get rule","operationId":"rule#get","parameters":[{"name":"id","in":"path","description":"ID of the rule to fetch","required":true,"schema":{"type":"string","description":"ID of the rule to fetch"}}],"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.Rule"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.NotFoundError"}}}}}}}}} ``` ## put rule > put creates or updates a rule ```json {"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"rule","description":"The rule api handles all operations for rules"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"RuleAPI.ModifyRule":{"type":"object","properties":{"body":{"type":"string","description":"The python body of the rule"},"createAlert":{"type":"boolean","description":"Determines whether the rule should create alerts when it triggers"},"dedupPeriodMinutes":{"type":"integer","description":"The amount of time in minutes for grouping alerts","default":60,"format":"int64","minimum":1},"description":{"type":"string","description":"The description of the rule"},"displayName":{"type":"string","description":"The display name of the rule"},"enabled":{"type":"boolean","description":"Determines whether or not the rule is active"},"id":{"type":"string","description":"The id of the rule"},"inlineFilters":{"type":"string","description":"The filter for the rule represented in YAML"},"logTypes":{"type":"array","items":{"type":"string"},"description":"log types"},"managed":{"type":"boolean","description":"Determines if the rule is managed by panther"},"outputIDs":{"type":"array","items":{"type":"string"},"description":"Destination IDs that override default alert routing based on severity"},"reference":{"type":"string","description":"A URL or note for additional reference material"},"reports":{"type":"object","description":"reports","additionalProperties":{"items":{"type":"string"},"type":"array"}},"runbook":{"type":"string","description":"How to handle the generated alert"},"severity":{"type":"string","enum":["INFO","LOW","MEDIUM","HIGH","CRITICAL"]},"summaryAttributes":{"type":"array","items":{"type":"string"},"description":"A list of fields in the event to create top 5 summaries for"},"tags":{"type":"array","items":{"type":"string"},"description":"The tags for the rule"},"tests":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTest"},"description":"Unit tests for the Rule. Best practice is to include a positive and negative case"},"threshold":{"type":"integer","description":"the number of events that must match before an alert is triggered","default":1,"format":"int64","minimum":1}},"required":["id","body","severity"]},"RuleAPI.UnitTest":{"type":"object","properties":{"expectedResult":{"type":"boolean","description":"The expected result"},"mocks":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTestMock"},"description":"mocks"},"name":{"type":"string","description":"name"},"resource":{"type":"string","description":"resource"}},"required":["name","resource","expectedResult"]},"RuleAPI.UnitTestMock":{"type":"object","additionalProperties":{"type":"string"}},"RuleAPI.Rule":{"type":"object","properties":{"body":{"type":"string","description":"The python body of the rule"},"createAlert":{"type":"boolean","description":"Determines whether the rule should create alerts when it triggers"},"createdAt":{"type":"string"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the rule"},"createdByExternal":{"type":"string","description":"The text of the user-provided CreatedBy field when uploaded via CI/CD"},"dedupPeriodMinutes":{"type":"integer","description":"The amount of time in minutes for grouping alerts","default":60,"format":"int64","minimum":1},"description":{"type":"string","description":"The description of the rule"},"displayName":{"type":"string","description":"The display name of the rule"},"enabled":{"type":"boolean","description":"Determines whether or not the rule is active"},"id":{"type":"string","description":"The id of the rule"},"inlineFilters":{"type":"string","description":"The filter for the rule represented in YAML"},"lastModified":{"type":"string"},"logTypes":{"type":"array","items":{"type":"string"},"description":"log types"},"managed":{"type":"boolean","description":"Determines if the rule is managed by panther"},"outputIDs":{"type":"array","items":{"type":"string"},"description":"Destination IDs that override default alert routing based on severity"},"reference":{"type":"string","description":"A URL or note for additional reference material"},"reports":{"type":"object","description":"reports","additionalProperties":{"items":{"type":"string"},"type":"array"}},"runbook":{"type":"string","description":"How to handle the generated alert"},"severity":{"type":"string","enum":["INFO","LOW","MEDIUM","HIGH","CRITICAL"]},"summaryAttributes":{"type":"array","items":{"type":"string"},"description":"A list of fields in the event to create top 5 summaries for"},"tags":{"type":"array","items":{"type":"string"},"description":"The tags for the rule"},"tests":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTest"},"description":"Unit tests for the Rule. Best practice is to include a positive and negative case"},"threshold":{"type":"integer","description":"the number of events that must match before an alert is triggered","default":1,"format":"int64","minimum":1}}},"RuleAPI.BadRequestWithTestResultsErr":{"type":"object","properties":{"message":{"type":"string"},"testResults":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.TestDetectionRecord"}}},"required":["message"]},"RuleAPI.TestDetectionRecord":{"type":"object","properties":{"error":{"$ref":"#/components/schemas/RuleAPI.TestErr"},"errored":{"type":"boolean"},"functions":{"$ref":"#/components/schemas/RuleAPI.TestDetectionRecordFunctions"},"name":{"type":"string"},"passed":{"type":"boolean"},"triggerAlert":{"type":"boolean"}}},"RuleAPI.TestErr":{"type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}},"RuleAPI.TestDetectionRecordFunctions":{"type":"object","properties":{"alertContext":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"dedup":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"description":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"destinations":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"detection":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"reference":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"runbook":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"severity":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"title":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"}}},"RuleAPI.TestDetectionSubRecord":{"type":"object","properties":{"error":{"$ref":"#/components/schemas/RuleAPI.TestErr"},"output":{"type":"string"}}}}},"paths":{"/rules/{id}":{"put":{"tags":["rule"],"summary":"put rule","description":"put creates or updates a rule","operationId":"rule#put","parameters":[{"name":"run-tests-first","in":"query","description":"set this field to false to exclude running tests prior to saving","allowEmptyValue":true,"schema":{"type":"boolean","description":"set this field to false to exclude running tests prior to saving","default":true}},{"name":"run-tests-only","in":"query","description":"set this field to true if you want to run tests without saving","allowEmptyValue":true,"schema":{"type":"boolean","description":"set this field to true if you want to run tests without saving","default":false}},{"name":"id","in":"path","description":"the id of the rule","required":true,"schema":{"type":"string","description":"the id of the rule"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.ModifyRule"}}}},"responses":{"200":{"description":"200 returned if the item already existed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.Rule"}}}},"201":{"description":"201 returned if the item was created","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.Rule"}}}},"204":{"description":"No Content response."},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.BadRequestWithTestResultsErr"}}}}}}}}} ``` ## DELETE /rules/{id} > delete rule ```json {"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"rule","description":"The rule api handles all operations for rules"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"RuleAPI.BadRequestWithTestResultsErr":{"type":"object","properties":{"message":{"type":"string"},"testResults":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.TestDetectionRecord"}}},"required":["message"]},"RuleAPI.TestDetectionRecord":{"type":"object","properties":{"error":{"$ref":"#/components/schemas/RuleAPI.TestErr"},"errored":{"type":"boolean"},"functions":{"$ref":"#/components/schemas/RuleAPI.TestDetectionRecordFunctions"},"name":{"type":"string"},"passed":{"type":"boolean"},"triggerAlert":{"type":"boolean"}}},"RuleAPI.TestErr":{"type":"object","properties":{"code":{"type":"string"},"message":{"type":"string"}}},"RuleAPI.TestDetectionRecordFunctions":{"type":"object","properties":{"alertContext":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"dedup":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"description":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"destinations":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"detection":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"reference":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"runbook":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"severity":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"},"title":{"$ref":"#/components/schemas/RuleAPI.TestDetectionSubRecord"}}},"RuleAPI.TestDetectionSubRecord":{"type":"object","properties":{"error":{"$ref":"#/components/schemas/RuleAPI.TestErr"},"output":{"type":"string"}}},"RuleAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"paths":{"/rules/{id}":{"delete":{"tags":["rule"],"summary":"delete rule","operationId":"rule#delete","parameters":[{"name":"id","in":"path","description":"ID of the rule to delete","required":true,"schema":{"type":"string","description":"ID of the rule to delete"}}],"responses":{"204":{"description":"No Content response."},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.BadRequestWithTestResultsErr"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.NotFoundError"}}}}}}}}} ``` ## GET /rules > list rules ```json {"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"rule","description":"The rule api handles all operations for rules"}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"RuleAPI.ListResp":{"type":"object","properties":{"next":{"type":"string","description":"pagination token for the next page of results"},"results":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.Rule"}}}},"RuleAPI.Rule":{"type":"object","properties":{"body":{"type":"string","description":"The python body of the rule"},"createAlert":{"type":"boolean","description":"Determines whether the rule should create alerts when it triggers"},"createdAt":{"type":"string"},"createdBy":{"type":"object","properties":{"id":{"type":"string","enum":["user","api-token","system"]},"type":{"type":"string"}},"description":"The actor who created the rule"},"createdByExternal":{"type":"string","description":"The text of the user-provided CreatedBy field when uploaded via CI/CD"},"dedupPeriodMinutes":{"type":"integer","description":"The amount of time in minutes for grouping alerts","default":60,"format":"int64","minimum":1},"description":{"type":"string","description":"The description of the rule"},"displayName":{"type":"string","description":"The display name of the rule"},"enabled":{"type":"boolean","description":"Determines whether or not the rule is active"},"id":{"type":"string","description":"The id of the rule"},"inlineFilters":{"type":"string","description":"The filter for the rule represented in YAML"},"lastModified":{"type":"string"},"logTypes":{"type":"array","items":{"type":"string"},"description":"log types"},"managed":{"type":"boolean","description":"Determines if the rule is managed by panther"},"outputIDs":{"type":"array","items":{"type":"string"},"description":"Destination IDs that override default alert routing based on severity"},"reference":{"type":"string","description":"A URL or note for additional reference material"},"reports":{"type":"object","description":"reports","additionalProperties":{"items":{"type":"string"},"type":"array"}},"runbook":{"type":"string","description":"How to handle the generated alert"},"severity":{"type":"string","enum":["INFO","LOW","MEDIUM","HIGH","CRITICAL"]},"summaryAttributes":{"type":"array","items":{"type":"string"},"description":"A list of fields in the event to create top 5 summaries for"},"tags":{"type":"array","items":{"type":"string"},"description":"The tags for the rule"},"tests":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTest"},"description":"Unit tests for the Rule. Best practice is to include a positive and negative case"},"threshold":{"type":"integer","description":"the number of events that must match before an alert is triggered","default":1,"format":"int64","minimum":1}}},"RuleAPI.UnitTest":{"type":"object","properties":{"expectedResult":{"type":"boolean","description":"The expected result"},"mocks":{"type":"array","items":{"$ref":"#/components/schemas/RuleAPI.UnitTestMock"},"description":"mocks"},"name":{"type":"string","description":"name"},"resource":{"type":"string","description":"resource"}},"required":["name","resource","expectedResult"]},"RuleAPI.UnitTestMock":{"type":"object","additionalProperties":{"type":"string"}}}},"paths":{"/rules":{"get":{"tags":["rule"],"summary":"list rules","operationId":"rule#list","parameters":[{"name":"cursor","in":"query","description":"the pagination token","allowEmptyValue":true,"schema":{"type":"string","description":"the pagination token"}},{"name":"limit","in":"query","description":"the maximum results to return","allowEmptyValue":true,"schema":{"type":"integer","description":"the maximum results to return","default":100,"format":"int64"}},{"name":"name-contains","in":"query","description":"Substring search by name (case-insensitive)","allowEmptyValue":true,"schema":{"type":"string","description":"Substring search by name (case-insensitive)"}},{"name":"state","in":"query","description":"Only include rules in the given state","allowEmptyValue":true,"schema":{"type":"string","description":"Only include rules in the given state","enum":["enabled","disabled"]}},{"name":"log-type","in":"query","description":"Only include rules which apply to one of the given log types","allowEmptyValue":true,"schema":{"type":"array","items":{"type":"string"},"description":"Only include rules which apply to one of the given log types"}},{"name":"severity","in":"query","description":"Only include rules with one of the given severities","allowEmptyValue":true,"schema":{"type":"array","items":{"type":"string","enum":["INFO","LOW","MEDIUM","HIGH","CRITICAL"]},"description":"Only include rules with one of the given severities"}},{"name":"tag","in":"query","description":"Only include rules with one of the given tags (case-insensitive)","allowEmptyValue":true,"schema":{"type":"array","items":{"type":"string"},"description":"Only include rules with one of the given tags (case-insensitive)"}},{"name":"created-by","in":"query","description":"Only include rules whose creator matches this user ID or actor ID","allowEmptyValue":true,"schema":{"type":"string","description":"Only include rules whose creator matches this user ID or actor ID"}},{"name":"last-modified-by","in":"query","description":"Only include rules last modified by this user ID or actor ID","allowEmptyValue":true,"schema":{"type":"string","description":"Only include rules last modified by this user ID or actor ID"}}],"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RuleAPI.ListResp"}}}}}}}}} ```