Knowledge BaseCommunityRelease NotesRequest Demo

Scheduled Rules

REST API operations for Scheduled Rules

Overview

The /scheduled-rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with Scheduled Rules in Panther.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

  • For GET operations, your API token must have the View Rules permission.

  • For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

create scheduled rule

post
Authorizations
Query parameters
run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true
run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false
Body
bodystringRequired

The python body of the scheduled rule

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60
descriptionstringOptional

The description of the scheduled rule

displayNamestringOptional

The display name of the scheduled rule

enabledbooleanOptional

Determines whether or not the scheduled rule is active

idstringRequired

The id of the scheduled rule

managedbooleanOptional

Determines if the scheduled rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

runbookstringOptional

How to handle the generated alert

scheduledQueriesstring[]Optional

the queries that this scheduled rule utilizes

severitystring · enumRequiredPossible values:
summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the scheduled rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1
Responses
200
OK response.
application/json
post
POST /scheduled-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 424

{
  "body": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "scheduledQueries": [
    "text"
  ],
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}
{
  "body": "text",
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "scheduledQueries": [
    "text"
  ],
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

get scheduled rule

get
Authorizations
Path parameters
idstringRequired

ID of the rule to fetch

Responses
200
OK response.
application/json
get
GET /scheduled-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

{
  "body": "text",
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "scheduledQueries": [
    "text"
  ],
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

put scheduled rule

put

put creates or updates a scheduled rule

Authorizations
Path parameters
idstringRequired

the id of the scheduled rule

Query parameters
run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true
run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false
Body
bodystringRequired

The python body of the scheduled rule

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60
descriptionstringOptional

The description of the scheduled rule

displayNamestringOptional

The display name of the scheduled rule

enabledbooleanOptional

Determines whether or not the scheduled rule is active

idstringRequired

The id of the scheduled rule

managedbooleanOptional

Determines if the scheduled rule is managed by panther

outputIDsstring[]Optional

Destination IDs that override default alert routing based on severity

runbookstringOptional

How to handle the generated alert

scheduledQueriesstring[]Optional

the queries that this scheduled rule utilizes

severitystring · enumRequiredPossible values:
summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the scheduled rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1
Responses
200
200 returned if the item already existed
application/json
put
PUT /scheduled-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 424

{
  "body": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "scheduledQueries": [
    "text"
  ],
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}
{
  "body": "text",
  "createdAt": "text",
  "createdBy": {
    "id": "user",
    "type": "text"
  },
  "createdByExternal": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "managed": true,
  "outputIDs": [
    "text"
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "scheduledQueries": [
    "text"
  ],
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

delete scheduled rule

delete
Authorizations
Path parameters
idstringRequired

ID of the rule to delete

Responses
204
No Content response.
delete
DELETE /scheduled-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

No content

list scheduled rules

get
Authorizations
Query parameters
cursorstringOptional

the pagination token

limitinteger · int64Optional

the maximum results to return

Default: 100
name-containsstringOptional

Substring search by name (case-insensitive)

statestring · enumOptional

Only include rules in the given state

Possible values:
scheduled-querystring[]Optional

Only include rules which apply to one of these scheduled queries

tagstring[]Optional

Only include rules with one of the given tags (case-insensitive)

created-bystringOptional

Only include rules whose creator matches this user ID or actor ID

last-modified-bystringOptional

Only include rules last modified by this user ID or actor ID

Responses
200
OK response.
application/json
get
GET /scheduled-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
200

OK response.

{
  "next": "text",
  "results": [
    {
      "body": "text",
      "createdAt": "text",
      "createdBy": {
        "id": "user",
        "type": "text"
      },
      "createdByExternal": "text",
      "dedupPeriodMinutes": 60,
      "description": "text",
      "displayName": "text",
      "enabled": true,
      "id": "text",
      "lastModified": "text",
      "managed": true,
      "outputIDs": [
        "text"
      ],
      "reports": {
        "ANY_ADDITIONAL_PROPERTY": [
          "text"
        ]
      },
      "runbook": "text",
      "scheduledQueries": [
        "text"
      ],
      "severity": "INFO",
      "summaryAttributes": [
        "text"
      ],
      "tags": [
        "text"
      ],
      "tests": [
        {
          "expectedResult": true,
          "mocks": [
            {
              "ANY_ADDITIONAL_PROPERTY": "text"
            }
          ],
          "name": "text",
          "resource": "text"
        }
      ],
      "threshold": 1
    }
  ]
}
PreviousRulesNextSimple Rules

Last updated

Was this helpful?