Correlation Rules

REST API operations for correlation rules

Overview

The /correlation-rules endpoints require a Snowflake backend. They are not available on Databricks.

Use these API operations to interact with correlation rules in Panther.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

list correlation rules

get

Authorizations

X-API-KeystringRequired

Query parameters

cursorstringOptional

the pagination token

limitinteger · int64Optional

the maximum results to return

Default: 100

name-containsstringOptional

Substring search by name (case-insensitive)

statestring · enumOptional

Only include rules in the given state

Possible values:

tagstring[]Optional

Only include rules with one of the given tags (case-insensitive)

created-bystringOptional

Only include rules whose creator matches this user ID or actor ID

last-modified-bystringOptional

Only include rules last modified by this user ID or actor ID

Responses

200

OK response.

application/json

nextstringOptional

pagination token for the next page of results

get

/correlation-rules

GET /correlation-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

200

OK response.

{
  "next": "text",
  "results": [
    {
      "correlationRuleReferenceIds": [
        "text"
      ],
      "createAlert": true,
      "createdAt": "text",
      "createdBy": {
        "id": "user",
        "type": "text"
      },
      "createdByExternal": "text",
      "dedupPeriodMinutes": 60,
      "description": "text",
      "detection": "text",
      "displayName": "text",
      "enabled": true,
      "id": "text",
      "lastModified": "text",
      "lastModifiedBy": {
        "id": "user",
        "type": "text"
      },
      "logTypes": [
        "text"
      ],
      "managed": true,
      "outputIDs": [
        "text"
      ],
      "reports": {
        "ANY_ADDITIONAL_PROPERTY": [
          "text"
        ]
      },
      "runbook": "text",
      "severity": "INFO",
      "summaryAttributes": [
        "text"
      ],
      "tags": [
        "text"
      ],
      "tests": [
        {
          "expectedResult": true,
          "name": "text",
          "ruleOutputs": [
            {
              "id": "text",
              "matches": {
                "ANY_ADDITIONAL_PROPERTY": {
                  "ANY_ADDITIONAL_PROPERTY": []
                }
              }
            }
          ]
        }
      ],
      "threshold": 1
    }
  ]
}

create correlation rule

post

Authorizations

X-API-KeystringRequired

Query parameters

run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true

run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false

Body

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the correlation rule

detectionstringRequired

The yaml representation of the correlation rule

displayNamestringOptional

The display name of the correlation rule

enabledbooleanOptional

Determines whether or not the correlation rule is active

idstringRequired

The id of the correlation rule

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the correlation rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

Responses

200

OK response.

application/json

correlationRuleReferenceIdsstring[]Optional

The IDs of the rules referenced by this correlation rule

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

createdAtstringOptional

createdByExternalstringOptional

The text of the user-provided CreatedBy field when uploaded via CI/CD

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the correlation rule

detectionstringRequired

The yaml representation of the correlation rule

displayNamestringOptional

The display name of the correlation rule

enabledbooleanOptional

Determines whether or not the correlation rule is active

idstringRequired

The id of the correlation rule

lastModifiedstringOptional

logTypesstring[]Optional

The log types derived from the correlation rule references

managedbooleanOptional

Determines if the correlation rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

runbookstringOptional

How to handle the generated alert

severitystring · enumOptionalPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the correlation rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

204

No Content response.

400

bad_request: Bad Request response.

application/json

409

exists: Conflict response.

application/json

post

/correlation-rules

POST /correlation-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 441

{
  "createAlert": true,
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "ruleOutputs": [
        {
          "id": "text",
          "matches": {
            "ANY_ADDITIONAL_PROPERTY": {
              "ANY_ADDITIONAL_PROPERTY": []
            }
          }
        }
      ]
    }
  ],
  "threshold": 1
}

{
  "correlationRuleReferenceIds": [
    "text"
  ],
  "createAlert": true,
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "lastModifiedBy": {
    "id": "user",
    "type": "text"
  },
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "ruleOutputs": [
        {
          "id": "text",
          "matches": {
            "ANY_ADDITIONAL_PROPERTY": {
              "ANY_ADDITIONAL_PROPERTY": []
            }
          }
        }
      ]
    }
  ],
  "threshold": 1
}

get a correlation rule

get

Authorizations

X-API-KeystringRequired

Path parameters

idstringRequired

ID of the correlation rule to fetch

Responses

200

OK response.

application/json

correlationRuleReferenceIdsstring[]Optional

The IDs of the rules referenced by this correlation rule

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

createdAtstringOptional

createdByExternalstringOptional

The text of the user-provided CreatedBy field when uploaded via CI/CD

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the correlation rule

detectionstringRequired

The yaml representation of the correlation rule

displayNamestringOptional

The display name of the correlation rule

enabledbooleanOptional

Determines whether or not the correlation rule is active

idstringRequired

The id of the correlation rule

lastModifiedstringOptional

logTypesstring[]Optional

The log types derived from the correlation rule references

managedbooleanOptional

Determines if the correlation rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

runbookstringOptional

How to handle the generated alert

severitystring · enumOptionalPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the correlation rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

404

not_found: Not Found response.

application/json

get

/correlation-rules/{id}

GET /correlation-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

{
  "correlationRuleReferenceIds": [
    "text"
  ],
  "createAlert": true,
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "lastModifiedBy": {
    "id": "user",
    "type": "text"
  },
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "ruleOutputs": [
        {
          "id": "text",
          "matches": {
            "ANY_ADDITIONAL_PROPERTY": {
              "ANY_ADDITIONAL_PROPERTY": []
            }
          }
        }
      ]
    }
  ],
  "threshold": 1
}

put correlation rule

put

put creates or updates a correlation rule

Authorizations

X-API-KeystringRequired

Path parameters

idstringRequired

the id of the correlation rule

Query parameters

run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true

run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false

Body

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the correlation rule

detectionstringRequired

The yaml representation of the correlation rule

displayNamestringOptional

The display name of the correlation rule

enabledbooleanOptional

Determines whether or not the correlation rule is active

idstringRequired

The id of the correlation rule

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the correlation rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

Responses

200

200 returned if the item already existed

application/json

correlationRuleReferenceIdsstring[]Optional

The IDs of the rules referenced by this correlation rule

createAlertbooleanOptional

Determines whether the rule should create alerts when it triggers

createdAtstringOptional

createdByExternalstringOptional

The text of the user-provided CreatedBy field when uploaded via CI/CD

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the correlation rule

detectionstringRequired

The yaml representation of the correlation rule

displayNamestringOptional

The display name of the correlation rule

enabledbooleanOptional

Determines whether or not the correlation rule is active

idstringRequired

The id of the correlation rule

lastModifiedstringOptional

logTypesstring[]Optional

The log types derived from the correlation rule references

managedbooleanOptional

Determines if the correlation rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

runbookstringOptional

How to handle the generated alert

severitystring · enumOptionalPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the correlation rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

201

201 returned if the item was created

application/json

204

No Content response.

400

bad_request: Bad Request response.

application/json

put

/correlation-rules/{id}

PUT /correlation-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 441

{
  "createAlert": true,
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "ruleOutputs": [
        {
          "id": "text",
          "matches": {
            "ANY_ADDITIONAL_PROPERTY": {
              "ANY_ADDITIONAL_PROPERTY": []
            }
          }
        }
      ]
    }
  ],
  "threshold": 1
}

{
  "correlationRuleReferenceIds": [
    "text"
  ],
  "createAlert": true,
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "lastModifiedBy": {
    "id": "user",
    "type": "text"
  },
  "logTypes": [
    "text"
  ],
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "ruleOutputs": [
        {
          "id": "text",
          "matches": {
            "ANY_ADDITIONAL_PROPERTY": {
              "ANY_ADDITIONAL_PROPERTY": []
            }
          }
        }
      ]
    }
  ],
  "threshold": 1
}

delete correlation rule

delete

Authorizations

X-API-KeystringRequired

Path parameters

idstringRequired

ID of the correlation rule to delete

Responses

204

No Content response.

400

bad_request: Bad Request response.

application/json

404

not_found: Not Found response.

application/json

delete

/correlation-rules/{id}

DELETE /correlation-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

No content

PreviousAPI Tokens NextData Models

Last updated 7 days ago

Was this helpful?

hashtagOverview

hashtagRequired permissions

hashtagOperations

hashtaglist correlation rules

hashtagcreate correlation rule

hashtagget a correlation rule

hashtagput correlation rule

hashtagdelete correlation rule

Overview

Required permissions

Operations

list correlation rules

create correlation rule

get a correlation rule

put correlation rule

delete correlation rule