Knowledge Base Community Release Notes Request Demo

Rules

REST API operations for rules

Overview

The /rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with rules in Panther.

The rules API entity is only applicable to Python rules. To interact with rules created as Simple/YAML rules, see Simple Rules.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

PreviousQueries NextScheduled Rules

Last updated 9 months ago

Was this helpful?

delete rule

delete

/rules/{id}

Authorizations

Path parameters

idstringrequired

ID of the rule to delete

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request DELETE \
  --url 'https://your-api-host/rules/{id}' \
  --header 'X-API-Key: YOUR_API_KEY'

204

400

404

No body

No Content response.

create rule

post

/rules

Authorizations

Query parameters

run-tests-firstboolean · default: true

set this field to false to exclude running tests prior to saving

run-tests-onlyboolean

set this field to true if you want to run tests without saving

Body

bodystringrequired

The python body of the rule

dedupPeriodMinutesinteger · min: 1 · default: 60

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

displayNamestring

The display name of the rule

enabledboolean

Determines whether or not the rule is active

idstringrequired

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

managedboolean

Determines if the rule is managed by panther

runbookstring

How to handle the generated alert

thresholdinteger · min: 1 · default: 1

the number of events that must match before an alert is triggered

severitystring · enumrequired

Options: INFO, LOW, MEDIUM, HIGH, CRITICAL

logTypesstring[]

log types

summaryAttributesstring[]

A list of fields in the event to create top 5 summaries for

tagsstring[]

The tags for the rule

testsobject[]

Unit tests for the Rule. Best practice is to include a positive and negative case

reportsobject

reports

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://your-api-host/rules' \
  --header 'X-API-Key: YOUR_API_KEY' \
  --header 'Content-Type: application/json' \
  --data '{"body":"text","dedupPeriodMinutes":60,"id":"text","threshold":1,"severity":"INFO","logTypes":[null],"summaryAttributes":[null],"tags":[null],"tests":[{"expectedResult":true,"name":"text","resource":"text","mocks":[{}]}],"reports":{"ANY_ADDITIONAL_PROPERTY":[null]}}'

200

204

400

409

{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "managed": true,
  "runbook": "text",
  "threshold": 1,
  "severity": "INFO",
  "logTypes": [
    "text"
  ],
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "resource": "text",
      "mocks": [
        {}
      ]
    }
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  }
}

OK response.

get rule

get

/rules/{id}

Authorizations

Path parameters

idstringrequired

ID of the rule to fetch

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --url 'https://your-api-host/rules/{id}' \
  --header 'X-API-Key: YOUR_API_KEY'

200

404

{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "managed": true,
  "runbook": "text",
  "threshold": 1,
  "severity": "INFO",
  "logTypes": [
    "text"
  ],
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "resource": "text",
      "mocks": [
        {}
      ]
    }
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  }
}

OK response.

put rule

put creates or updates a rule

put

/rules/{id}

Authorizations

Path parameters

idstringrequired

the id of the rule

Query parameters

run-tests-firstboolean · default: true

set this field to false to exclude running tests prior to saving

run-tests-onlyboolean

set this field to true if you want to run tests without saving

Body

bodystringrequired

The python body of the rule

dedupPeriodMinutesinteger · min: 1 · default: 60

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

displayNamestring

The display name of the rule

enabledboolean

Determines whether or not the rule is active

idstringrequired

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

managedboolean

Determines if the rule is managed by panther

runbookstring

How to handle the generated alert

thresholdinteger · min: 1 · default: 1

the number of events that must match before an alert is triggered

severitystring · enumrequired

Options: INFO, LOW, MEDIUM, HIGH, CRITICAL

logTypesstring[]

log types

summaryAttributesstring[]

A list of fields in the event to create top 5 summaries for

tagsstring[]

The tags for the rule

testsobject[]

Unit tests for the Rule. Best practice is to include a positive and negative case

reportsobject

reports

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request PUT \
  --url 'https://your-api-host/rules/{id}' \
  --header 'X-API-Key: YOUR_API_KEY' \
  --header 'Content-Type: application/json' \
  --data '{"body":"text","dedupPeriodMinutes":60,"id":"text","threshold":1,"severity":"INFO","logTypes":[null],"summaryAttributes":[null],"tags":[null],"tests":[{"expectedResult":true,"name":"text","resource":"text","mocks":[{}]}],"reports":{"ANY_ADDITIONAL_PROPERTY":[null]}}'

200

201

204

400

{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "managed": true,
  "runbook": "text",
  "threshold": 1,
  "severity": "INFO",
  "logTypes": [
    "text"
  ],
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "resource": "text",
      "mocks": [
        {}
      ]
    }
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  }
}

200 returned if the item already existed

list rules

get

/rules

Authorizations

Query parameters

cursorstring

the pagination token

limitinteger · int64 · default: 100

the maximum results to return

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --url 'https://your-api-host/rules' \
  --header 'X-API-Key: YOUR_API_KEY'

200

{
  "next": "text",
  "results": [
    {
      "body": "text",
      "createdAt": "text",
      "dedupPeriodMinutes": 60,
      "description": "text",
      "displayName": "text",
      "enabled": true,
      "id": "text",
      "inlineFilters": "text",
      "lastModified": "text",
      "managed": true,
      "runbook": "text",
      "threshold": 1,
      "severity": "INFO",
      "logTypes": [
        "text"
      ],
      "summaryAttributes": [
        "text"
      ],
      "tags": [
        "text"
      ],
      "tests": [
        {
          "expectedResult": true,
          "name": "text",
          "resource": "text",
          "mocks": [
            {}
          ]
        }
      ],
      "reports": {
        "ANY_ADDITIONAL_PROPERTY": [
          "text"
        ]
      }
    }
  ]
}

OK response.