Rules

REST API operations for rules

Overview

The /rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with rules in Panther.

The rules API entity is only applicable to Python rules. To interact with rules created as Simple/YAML rules, see Simple Rules.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

create rule

POSThttps://your-api-host/rules

Query parameters

Body

body*string

The python body of the rule

dedupPeriodMinutesinteger (int64)

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

displayNamestring

The display name of the rule

enabledboolean

Determines whether or not the rule is active

id*string

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

logTypesarray of string

log types

managedboolean

Determines if the rule is managed by panther

reportsobject

reports

runbookstring

How to handle the generated alert

severity*enum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the rule

testsarray of RuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

Response

OK response.

Body

RuleAPI.RulecreateResponseBody (any)

Request

const response = await fetch('https://your-api-host/rules', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "id": "text",
      "body": "text",
      "severity": "INFO"
    }),
});
const data = await response.json();

get rule

GEThttps://your-api-host/rules/{id}

Path parameters

id*string

ID of the rule to fetch

Response

OK response.

Body

bodystring

The python body of the rule

createdAtstring

dedupPeriodMinutesinteger (int64)

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

displayNamestring

The display name of the rule

enabledboolean

Determines whether or not the rule is active

idstring

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

lastModifiedstring

logTypesarray of string

log types

managedboolean

Determines if the rule is managed by panther

reportsobject

reports

runbookstring

How to handle the generated alert

severityenum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the rule

testsarray of RuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

Request

const response = await fetch('https://your-api-host/rules/{id}', {
    method: 'GET',
    headers: {},
});
const data = await response.json();

Response

{
  "body": "text",
  "createdAt": "text",
  "description": "text",
  "displayName": "text",
  "enabled": false,
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": false,
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": false,
      "mocks": [],
      "name": "text",
      "resource": "text"
    }
  ]
}

put rule

put creates or updates a rule

PUThttps://your-api-host/rules/{id}

Path parameters

id*string

the id of the rule

Query parameters

Body

body*string

The python body of the rule

dedupPeriodMinutesinteger (int64)

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

displayNamestring

The display name of the rule

enabledboolean

Determines whether or not the rule is active

id*string

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

logTypesarray of string

log types

managedboolean

Determines if the rule is managed by panther

reportsobject

reports

runbookstring

How to handle the generated alert

severity*enum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the rule

testsarray of RuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

Response

200 returned if the item already existed

Body

RuleAPI.RulecreateResponseBody (any)

Request

const response = await fetch('https://your-api-host/rules/{id}', {
    method: 'PUT',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "id": "text",
      "body": "text",
      "severity": "INFO"
    }),
});
const data = await response.json();

delete rule

DELETEhttps://your-api-host/rules/{id}

Path parameters

id*string

ID of the rule to delete

Response

No Content response.

Request

const response = await fetch('https://your-api-host/rules/{id}', {
    method: 'DELETE',
    headers: {},
});
const data = await response.json();

list rules

GEThttps://your-api-host/rules

Query parameters

Response

OK response.

Body

nextstring

pagination token for the next page of results

resultsarray of RuleAPI.RulecreateResponseBody (any)

Request

const response = await fetch('https://your-api-host/rules', {
    method: 'GET',
    headers: {},
});
const data = await response.json();

Response

{
  "next": "text",
  "results": []
}

PreviousQueries NextScheduled Rules

Last updated 29 days ago