Knowledge Base Community Release Notes Request Demo

Scheduled Rules

REST API operations for Scheduled Rules

Overview

The /scheduled-rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with Scheduled Rules in Panther.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

PreviousRules NextSimple Rules

Last updated 9 months ago

Was this helpful?

create scheduled rule

post

/scheduled-rules

Authorizations

Query parameters

run-tests-firstboolean · default: true

set this field to false to exclude running tests prior to saving

run-tests-onlyboolean

set this field to true if you want to run tests without saving

Body

bodystringrequired

The python body of the scheduled rule

dedupPeriodMinutesinteger · min: 1 · default: 60

The amount of time in minutes for grouping alerts

descriptionstring

The description of the scheduled rule

displayNamestring

The display name of the scheduled rule

enabledboolean

Determines whether or not the scheduled rule is active

idstringrequired

The id of the scheduled rule

managedboolean

Determines if the scheduled rule is managed by panther

runbookstring

How to handle the generated alert

thresholdinteger · min: 1 · default: 1

the number of events that must match before an alert is triggered

severitystring · enumrequired

Options: INFO, LOW, MEDIUM, HIGH, CRITICAL

scheduledQueriesstring[]

the queries that this scheduled rule utilizes

summaryAttributesstring[]

A list of fields in the event to create top 5 summaries for

tagsstring[]

The tags for the scheduled rule

testsobject[]

Unit tests for the Rule. Best practice is to include a positive and negative case

reportsobject

reports

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://your-api-host/scheduled-rules' \
  --header 'X-API-Key: YOUR_API_KEY' \
  --header 'Content-Type: application/json' \
  --data '{"body":"text","dedupPeriodMinutes":60,"id":"text","threshold":1,"severity":"INFO","scheduledQueries":[null],"summaryAttributes":[null],"tags":[null],"tests":[{"expectedResult":true,"name":"text","resource":"text","mocks":[{}]}],"reports":{"ANY_ADDITIONAL_PROPERTY":[null]}}'

200

204

400

409

{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "managed": true,
  "runbook": "text",
  "threshold": 1,
  "severity": "INFO",
  "scheduledQueries": [
    "text"
  ],
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "resource": "text",
      "mocks": [
        {}
      ]
    }
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  }
}

OK response.

get scheduled rule

get

/scheduled-rules/{id}

Authorizations

Path parameters

idstringrequired

ID of the rule to fetch

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --url 'https://your-api-host/scheduled-rules/{id}' \
  --header 'X-API-Key: YOUR_API_KEY'

200

404

{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "managed": true,
  "runbook": "text",
  "threshold": 1,
  "severity": "INFO",
  "scheduledQueries": [
    "text"
  ],
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "resource": "text",
      "mocks": [
        {}
      ]
    }
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  }
}

OK response.

put scheduled rule

put creates or updates a scheduled rule

put

/scheduled-rules/{id}

Authorizations

Path parameters

idstringrequired

the id of the scheduled rule

Query parameters

run-tests-firstboolean · default: true

set this field to false to exclude running tests prior to saving

run-tests-onlyboolean

set this field to true if you want to run tests without saving

Body

bodystringrequired

The python body of the scheduled rule

dedupPeriodMinutesinteger · min: 1 · default: 60

The amount of time in minutes for grouping alerts

descriptionstring

The description of the scheduled rule

displayNamestring

The display name of the scheduled rule

enabledboolean

Determines whether or not the scheduled rule is active

idstringrequired

The id of the scheduled rule

managedboolean

Determines if the scheduled rule is managed by panther

runbookstring

How to handle the generated alert

thresholdinteger · min: 1 · default: 1

the number of events that must match before an alert is triggered

severitystring · enumrequired

Options: INFO, LOW, MEDIUM, HIGH, CRITICAL

scheduledQueriesstring[]

the queries that this scheduled rule utilizes

summaryAttributesstring[]

A list of fields in the event to create top 5 summaries for

tagsstring[]

The tags for the scheduled rule

testsobject[]

Unit tests for the Rule. Best practice is to include a positive and negative case

reportsobject

reports

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request PUT \
  --url 'https://your-api-host/scheduled-rules/{id}' \
  --header 'X-API-Key: YOUR_API_KEY' \
  --header 'Content-Type: application/json' \
  --data '{"body":"text","dedupPeriodMinutes":60,"id":"text","threshold":1,"severity":"INFO","scheduledQueries":[null],"summaryAttributes":[null],"tags":[null],"tests":[{"expectedResult":true,"name":"text","resource":"text","mocks":[{}]}],"reports":{"ANY_ADDITIONAL_PROPERTY":[null]}}'

200

201

204

400

{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "lastModified": "text",
  "managed": true,
  "runbook": "text",
  "threshold": 1,
  "severity": "INFO",
  "scheduledQueries": [
    "text"
  ],
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "name": "text",
      "resource": "text",
      "mocks": [
        {}
      ]
    }
  ],
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  }
}

200 returned if the item already existed

list scheduled rules

get

/scheduled-rules

Authorizations

Query parameters

cursorstring

the pagination token

limitinteger · int64 · default: 100

the maximum results to return

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --url 'https://your-api-host/scheduled-rules' \
  --header 'X-API-Key: YOUR_API_KEY'

200

{
  "next": "text",
  "results": [
    {
      "body": "text",
      "createdAt": "text",
      "dedupPeriodMinutes": 60,
      "description": "text",
      "displayName": "text",
      "enabled": true,
      "id": "text",
      "lastModified": "text",
      "managed": true,
      "runbook": "text",
      "threshold": 1,
      "severity": "INFO",
      "scheduledQueries": [
        "text"
      ],
      "summaryAttributes": [
        "text"
      ],
      "tags": [
        "text"
      ],
      "tests": [
        {
          "expectedResult": true,
          "name": "text",
          "resource": "text",
          "mocks": [
            {}
          ]
        }
      ],
      "reports": {
        "ANY_ADDITIONAL_PROPERTY": [
          "text"
        ]
      }
    }
  ]
}

OK response.

delete scheduled rule

delete

/scheduled-rules/{id}

Authorizations

Path parameters

idstringrequired

ID of the rule to delete

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request DELETE \
  --url 'https://your-api-host/scheduled-rules/{id}' \
  --header 'X-API-Key: YOUR_API_KEY'

204

400

404

No body

No Content response.