Scheduled Rules

REST API operations for Scheduled Rules

Overview

The /scheduled-rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with Scheduled Rules in Panther.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

create scheduled rule

POSThttps://your-api-host/scheduled-rules

Query parameters

Body

body*string

The python body of the scheduled rule

dedupPeriodMinutesinteger

The amount of time in minutes for grouping alerts

descriptionstring

The description of the scheduled rule

displayNamestring

The display name of the scheduled rule

enabledboolean

Determines whether or not the scheduled rule is active

id*string

The id of the scheduled rule

managedboolean

Determines if the scheduled rule is managed by panther

reportsobject

reports

runbookstring

How to handle the generated alert

scheduledQueriesarray of string

the queries that this scheduled rule utilizes

severity*enum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the scheduled rule

testsarray of ScheduledRuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

thresholdinteger

the number of events that must match before an alert is triggered

Response

OK response.

Body

ScheduledRuleAPI.ScheduledRulecreateResponseBody (any)

Request

Response

get scheduled rule

GEThttps://your-api-host/scheduled-rules/{id}

Path parameters

id*string

ID of the rule to fetch

Response

OK response.

Body

bodystring

The python body of the scheduled rule

createdAtstring

dedupPeriodMinutesinteger

The amount of time in minutes for grouping alerts

descriptionstring

The description of the scheduled rule

displayNamestring

The display name of the scheduled rule

enabledboolean

Determines whether or not the scheduled rule is active

idstring

The id of the scheduled rule

lastModifiedstring

managedboolean

Determines if the scheduled rule is managed by panther

reportsobject

reports

runbookstring

How to handle the generated alert

scheduledQueriesarray of string

the queries that this scheduled rule utilizes

severityenum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the scheduled rule

testsarray of ScheduledRuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

thresholdinteger

the number of events that must match before an alert is triggered

Request

Response

put scheduled rule

put creates or updates a scheduled rule

PUThttps://your-api-host/scheduled-rules/{id}

Path parameters

id*string

the id of the scheduled rule

Query parameters

Body

body*string

The python body of the scheduled rule

dedupPeriodMinutesinteger

The amount of time in minutes for grouping alerts

descriptionstring

The description of the scheduled rule

displayNamestring

The display name of the scheduled rule

enabledboolean

Determines whether or not the scheduled rule is active

id*string

The id of the scheduled rule

managedboolean

Determines if the scheduled rule is managed by panther

reportsobject

reports

runbookstring

How to handle the generated alert

scheduledQueriesarray of string

the queries that this scheduled rule utilizes

severity*enum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the scheduled rule

testsarray of ScheduledRuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

thresholdinteger

the number of events that must match before an alert is triggered

Response

200 returned if the item already existed

Body

ScheduledRuleAPI.ScheduledRulecreateResponseBody (any)

Request

Response

delete scheduled rule

DELETEhttps://your-api-host/scheduled-rules/{id}

Path parameters

id*string

ID of the rule to delete

Response

No Content response.

Request

const response = await fetch('https://your-api-host/scheduled-rules/{id}', {
    method: 'DELETE',
    headers: {},
});
const data = await response.json();

Response

{
  "message": "text",
  "testResults": [
    {
      "error": {
        "code": "text",
        "message": "text"
      },
      "errored": false,
      "functions": {
        "alertContext": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "dedup": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "description": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "destinations": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "detection": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "reference": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "runbook": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "severity": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        },
        "title": {
          "error": {
            "code": "text",
            "message": "text"
          },
          "output": "text"
        }
      },
      "name": "text",
      "passed": false,
      "triggerAlert": false
    }
  ]
}

list scheduled rules

GEThttps://your-api-host/scheduled-rules

Query parameters

Response

OK response.

Body

nextstring

pagination token for the next page of results

resultsarray of ScheduledRuleAPI.ScheduledRulecreateResponseBody (any)

Request

Response

PreviousRules NextSimple Rules

Last updated 6 months ago

{ "message": "text", "testResults": [ { "error": { "code": "text", "message": "text" }, "errored": false, "functions": { "alertContext": { "error": { "code": "text", "message": "text" }, "output": "text" }, "dedup": { "error": { "code": "text", "message": "text" }, "output": "text" }, "description": { "error": { "code": "text", "message": "text" }, "output": "text" }, "destinations": { "error": { "code": "text", "message": "text" }, "output": "text" }, "detection": { "error": { "code": "text", "message": "text" }, "output": "text" }, "reference": { "error": { "code": "text", "message": "text" }, "output": "text" }, "runbook": { "error": { "code": "text", "message": "text" }, "output": "text" }, "severity": { "error": { "code": "text", "message": "text" }, "output": "text" }, "title": { "error": { "code": "text", "message": "text" }, "output": "text" } }, "name": "text", "passed": false, "triggerAlert": false } ] }