단순 규칙

단순/YAML 규칙에 대한 REST API 작업

개요

이러한 API 작업을 사용하여 다음과 상호 작용하세요 룰 다음으로 생성된 CLI 워크플로의 Simple 디택션 또는 Panther Console의 Simple 디택션 Builder.

simple 룰 API 엔터티는 다음에 해당하는 룰에만 적용됩니다 Simple 디택션. 다음에서 생성된 룰과 상호 작용하려면 Python, 다음을 참조하세요 룰.

API를 호출하려면 다음을 참조하세요 Panther REST API 사용 방법 지침—다음을 포함합니다 이 문서 페이지에서 직접 호출하는 방법에 대한 안내.

필수 권한

다음의 경우 GET 작업의 경우, API 토큰에 다음 권한이 있어야 합니다 룰 보기 AlertModify
다음의 경우 POST, PUT및 DELETE 작업의 경우, API 토큰에 다음 권한이 있어야 합니다 룰 관리 AlertModify

작업

아래 API 엔드포인트는 Simple 디택션 전용입니다. 다른 디택션 유형과 상호 작용하려면 해당 페이지를 참조하세요: Python 기반 룰, 예약된 룰및 클라우드 정책.

create simple rule

post

Authorizations

X-API-KeystringRequired

Query parameters

run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true

run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false

Body

alertContextstringOptional

The alert context represented in YAML

alertTitlestringOptional

The alert title represented in YAML

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the rule

detectionstringRequired

The yaml representation of the rule

displayNamestringOptional

The display name of the rule

dynamicSeveritiesstringOptional

The dynamic severity represented in YAML

enabledbooleanOptional

Determines whether or not the rule is active

groupBystringOptional

The key on an event to group by represented in YAML

idstringRequired

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the simple rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

pythonBodystringOptional

The python body of the rule

referencestringOptional

A URL or note for additional reference material

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the simple rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

Responses

200

OK response.

application/json

alertContextstringOptional

The alert context represented in YAML

alertTitlestringOptional

The alert title represented in YAML

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

createdAtstringOptional

createdByExternalstringOptional

The text of the user-provided CreatedBy field when uploaded via CI/CD

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the rule

detectionstringOptional

The yaml representation of the rule

displayNamestringOptional

The display name of the rule

dynamicSeveritiesstringOptional

The dynamic severity represented in YAML

enabledbooleanOptional

Determines whether or not the rule is active

groupBystringOptional

The key on an event to group by represented in YAML

idstringOptional

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

lastModifiedstringOptional

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the simple rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

pythonBodystringOptional

The python body of the rule

referencestringOptional

A URL or note for additional reference material

runbookstringOptional

How to handle the generated alert

severitystring · enumOptionalPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the simple rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

204

No Content response.

400

bad_request: Bad Request response.

application/json

409

exists: Conflict response.

application/json

post

/simple-rules

POST /simple-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 599

{
  "alertContext": "text",
  "alertTitle": "text",
  "createAlert": true,
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "pythonBody": "text",
  "reference": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "log": null,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

{
  "alertContext": "text",
  "alertTitle": "text",
  "createAlert": true,
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "pythonBody": "text",
  "reference": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "log": null,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

get a simple rule

get

Authorizations

X-API-KeystringRequired

Path parameters

idstringRequired

ID of the rule to fetch

Query parameters

include-pythonbooleanOptional

determines if associated python for the generated rule is returned

Default: false

Responses

200

OK response.

application/json

alertContextstringOptional

The alert context represented in YAML

alertTitlestringOptional

The alert title represented in YAML

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

createdAtstringOptional

createdByExternalstringOptional

The text of the user-provided CreatedBy field when uploaded via CI/CD

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the rule

detectionstringOptional

The yaml representation of the rule

displayNamestringOptional

The display name of the rule

dynamicSeveritiesstringOptional

The dynamic severity represented in YAML

enabledbooleanOptional

Determines whether or not the rule is active

groupBystringOptional

The key on an event to group by represented in YAML

idstringOptional

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

lastModifiedstringOptional

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the simple rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

pythonBodystringOptional

The python body of the rule

referencestringOptional

A URL or note for additional reference material

runbookstringOptional

How to handle the generated alert

severitystring · enumOptionalPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the simple rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

404

not_found: Not Found response.

application/json

get

/simple-rules/{id}

GET /simple-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

{
  "alertContext": "text",
  "alertTitle": "text",
  "createAlert": true,
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "pythonBody": "text",
  "reference": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "log": null,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

put simple rule

put

put creates or updates a rule

Authorizations

X-API-KeystringRequired

Path parameters

idstringRequired

the id of the rule

Query parameters

run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true

run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false

Body

alertContextstringOptional

The alert context represented in YAML

alertTitlestringOptional

The alert title represented in YAML

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the rule

detectionstringRequired

The yaml representation of the rule

displayNamestringOptional

The display name of the rule

dynamicSeveritiesstringOptional

The dynamic severity represented in YAML

enabledbooleanOptional

Determines whether or not the rule is active

groupBystringOptional

The key on an event to group by represented in YAML

idstringRequired

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the simple rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

pythonBodystringOptional

The python body of the rule

referencestringOptional

A URL or note for additional reference material

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the simple rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

Responses

200

200 returned if the item already existed

application/json

alertContextstringOptional

The alert context represented in YAML

alertTitlestringOptional

The alert title represented in YAML

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

createdAtstringOptional

createdByExternalstringOptional

The text of the user-provided CreatedBy field when uploaded via CI/CD

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the rule

detectionstringOptional

The yaml representation of the rule

displayNamestringOptional

The display name of the rule

dynamicSeveritiesstringOptional

The dynamic severity represented in YAML

enabledbooleanOptional

Determines whether or not the rule is active

groupBystringOptional

The key on an event to group by represented in YAML

idstringOptional

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

lastModifiedstringOptional

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the simple rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

pythonBodystringOptional

The python body of the rule

referencestringOptional

A URL or note for additional reference material

runbookstringOptional

How to handle the generated alert

severitystring · enumOptionalPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the simple rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

201

201 returned if the item was created

application/json

204

No Content response.

400

bad_request: Bad Request response.

application/json

put

/simple-rules/{id}

PUT /simple-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 599

{
  "alertContext": "text",
  "alertTitle": "text",
  "createAlert": true,
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "pythonBody": "text",
  "reference": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "log": null,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

{
  "alertContext": "text",
  "alertTitle": "text",
  "createAlert": true,
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "pythonBody": "text",
  "reference": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "log": null,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

delete simple rule

delete

Authorizations

X-API-KeystringRequired

Path parameters

idstringRequired

ID of the simple rule to delete

Responses

204

No Content response.

400

bad_request: Bad Request response.

application/json

404

not_found: Not Found response.

application/json

delete

/simple-rules/{id}

DELETE /simple-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

No content

list simple rules

get

Authorizations

X-API-KeystringRequired

Query parameters

cursorstringOptional

the pagination token

limitinteger · int64Optional

the maximum results to return

Default: 100

include-pythonbooleanOptional

determines if associated python for the generated rule is returned

Default: false

name-containsstringOptional

Substring search by name (case-insensitive)

statestring · enumOptional

Only include rules in the given state

Possible values:

log-typestring[]Optional

Only include rules which apply to one of the given log types

tagstring[]Optional

Only include rules with one of the given tags (case-insensitive)

created-bystringOptional

Only include rules whose creator matches this user ID or actor ID

last-modified-bystringOptional

Only include rules last modified by this user ID or actor ID

Responses

200

OK response.

application/json

nextstringOptional

pagination token for the next page of results

get

/simple-rules

GET /simple-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

200

OK response.

{
  "next": "text",
  "results": [
    {
      "alertContext": "text",
      "alertTitle": "text",
      "createAlert": true,
      "createdAt": "text",
      "createdBy": {
        "id": "user",
        "type": "text"
      },
      "createdByExternal": "text",
      "dedupPeriodMinutes": 60,
      "description": "text",
      "detection": "text",
      "displayName": "text",
      "dynamicSeverities": "text",
      "enabled": true,
      "groupBy": "text",
      "id": "text",
      "inlineFilters": "text",
      "lastModified": "text",
      "logTypes": [
        "text"
      ],
      "managed": true,
      "outputIDs": [
        "text"
      ],
      "pythonBody": "text",
      "reference": "text",
      "reports": {
        "ANY_ADDITIONAL_PROPERTY": [
          "text"
        ]
      },
      "runbook": "text",
      "severity": "INFO",
      "summaryAttributes": [
        "text"
      ],
      "tags": [
        "text"
      ],
      "tests": [
        {
          "expectedResult": true,
          "log": null,
          "mocks": [
            {
              "ANY_ADDITIONAL_PROPERTY": "text"
            }
          ],
          "name": "text",
          "resource": "text"
        }
      ],
      "threshold": 1
    }
  ]
}

이전예약된 규칙 다음정책

마지막 업데이트 3개월 전

도움이 되었나요?