Alerts

REST API operations for alerts

Overview

The /alerts REST API operations are in open beta starting with Panther version 1.112, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with alerts in Panther.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

  • For GET operations, your API token must have the Read Alerts permission.

  • For PATCH operations, your API token must have the Manage Alerts permission.

Operations

Get an alert

get
Authorizations
Path parameters
idstringRequired

ID of the alert

Responses
200
OK response.
application/json
get
GET /alerts/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
{
  "assignee": {
    "id": "user",
    "type": "text"
  },
  "context": null,
  "createdAt": "text",
  "deliveries": [
    {
      "dispatchedAt": "text",
      "label": "text",
      "message": "text",
      "outputId": "text",
      "statusCode": 1,
      "success": true
    }
  ],
  "detection": {
    "id": "text",
    "type": "RULE"
  },
  "eventCount": 1,
  "firstEventOccurredAt": "text",
  "id": "text",
  "lastReceivedEventAt": "text",
  "runbook": "text",
  "severity": "CRITICAL",
  "status": "OPEN",
  "systemError": {
    "detection": {
      "id": "text",
      "type": "RULE"
    },
    "sourceId": "text",
    "sourceType": "text",
    "type": "text"
  },
  "title": "text",
  "type": "text",
  "updatedBy": {
    "id": "user",
    "type": "text"
  }
}

Update the status or assignee of an alert

patch
Authorizations
Path parameters
idstringRequired

ID of the alert

Body
assigneestringOptional

The ID of the assignee for this alert

statusstring · enumOptional

The status of this Alert

Possible values:
Responses
200
OK response.
patch
PATCH /alerts/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 35

{
  "assignee": "text",
  "status": "OPEN"
}

No content

List alerts

get
Authorizations
Query parameters
typestring · enumOptionalDefault: ALERTPossible values:
cursorstringOptional

the pagination token

limitinteger · int64 · max: 50Optional

the maximum results to return

Default: 25
created-afterstringOptional

The date and time after which the alerts were created. If empty we default to 30 days ago

Example: 1672531200
created-beforestringOptional

The date and time before which the alerts were created. If empty we default to the current time

Example: 1672531200
detection-idstringOptional

The detection ID to filter alerts by

sort-dirstring · enumOptional

The sort direction of the results

Default: descPossible values:
name-containsstringOptional

A string to search for in the alert name

log-sourcestring[]Optional

The log source of the alert

log-typestring[]Optional

The log type of the alert

resource-typestring[]Optional

The resource type of the alert

assigneestring[]Optional

The assignee of the alert. This should be a user id

event-count-mininteger · int64Optional

The minimum number of events in the alert

event-count-maxinteger · int64Optional

The maximum number of events in the alert

Responses
200
OK response.
application/json
get
GET /alerts HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
{
  "next": "text",
  "results": [
    {
      "assignee": {
        "id": "user",
        "type": "text"
      },
      "context": null,
      "createdAt": "text",
      "deliveries": [
        {
          "dispatchedAt": "text",
          "label": "text",
          "message": "text",
          "outputId": "text",
          "statusCode": 1,
          "success": true
        }
      ],
      "detection": {
        "id": "text",
        "type": "RULE"
      },
      "eventCount": 1,
      "firstEventOccurredAt": "text",
      "id": "text",
      "lastReceivedEventAt": "text",
      "runbook": "text",
      "severity": "CRITICAL",
      "status": "OPEN",
      "systemError": {
        "detection": {
          "id": "text",
          "type": "RULE"
        },
        "sourceId": "text",
        "sourceType": "text",
        "type": "text"
      },
      "title": "text",
      "type": "text",
      "updatedBy": {
        "id": "user",
        "type": "text"
      }
    }
  ]
}

Update the status or assignee of multiple alerts

patch
Authorizations
Body
assigneestringOptional

The ID of the assignee for this alert

idsstring[]Required

The IDs of the alerts to patch

statusstring · enumOptional

The status of this Alert

Possible values:
Responses
204
No Content response.
patch
PATCH /alerts HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 50

{
  "assignee": "text",
  "ids": [
    "text"
  ],
  "status": "OPEN"
}

No content

List alert events

get
Authorizations
Path parameters
idstringRequired

The alert id

Query parameters
cursorstringOptional

the pagination token

limitinteger · int64 · max: 50Optional

the maximum results to return

Default: 25
Responses
200
OK response.
application/json
get
GET /alerts/{id}/events HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
{
  "next": "text",
  "results": []
}

Last updated

Was this helpful?