Simple Rules

REST API operations for Simple/YAML Rules

Overview

The /simple-rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with rules created as Simple Detections in the CLI workflow or in the Panther Console's Simple Detection Builder.

The simple rule API entity is only applicable to rules that are Simple Detections. To interact with rules created in Python, see Rules.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

create simple rule

POSThttps://your-api-host/simple-rules

Query parameters

Body

alertContextstring

The alert context represented in YAML

alertTitlestring

The alert title represented in YAML

dedupPeriodMinutesinteger

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

detection*string

The yaml representation of the rule

displayNamestring

The display name of the rule

dynamicSeveritiesstring

The dynamic severity represented in YAML

enabledboolean

Determines whether or not the rule is active

groupBystring

The key on an event to group by represented in YAML

id*string

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

logTypesarray of string

log types

managedboolean

Determines if the simple rule is managed by panther

pythonBodystring

The python body of the rule

reportsobject

reports

runbookstring

How to handle the generated alert

severity*enum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the simple rule

testsarray of SimpleRuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

thresholdinteger

the number of events that must match before an alert is triggered

Response

OK response.

Body

SimpleRuleAPI.SimpleRulecreateResponseBody (any)

Request

Response

get a simple rule

GEThttps://your-api-host/simple-rules/{id}

Path parameters

id*string

ID of the rule to fetch

Query parameters

Response

OK response.

Body

alertContextstring

The alert context represented in YAML

alertTitlestring

The alert title represented in YAML

createdAtstring

dedupPeriodMinutesinteger

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

detectionstring

The yaml representation of the rule

displayNamestring

The display name of the rule

dynamicSeveritiesstring

The dynamic severity represented in YAML

enabledboolean

Determines whether or not the rule is active

groupBystring

The key on an event to group by represented in YAML

idstring

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

lastModifiedstring

logTypesarray of string

log types

managedboolean

Determines if the simple rule is managed by panther

pythonBodystring

The python body of the rule

reportsobject

reports

runbookstring

How to handle the generated alert

severityenum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the simple rule

testsarray of SimpleRuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

thresholdinteger

the number of events that must match before an alert is triggered

Request

Response

put simple rule

put creates or updates a rule

PUThttps://your-api-host/simple-rules/{id}

Path parameters

id*string

the id of the rule

Query parameters

Body

alertContextstring

The alert context represented in YAML

alertTitlestring

The alert title represented in YAML

dedupPeriodMinutesinteger

The amount of time in minutes for grouping alerts

descriptionstring

The description of the rule

detection*string

The yaml representation of the rule

displayNamestring

The display name of the rule

dynamicSeveritiesstring

The dynamic severity represented in YAML

enabledboolean

Determines whether or not the rule is active

groupBystring

The key on an event to group by represented in YAML

id*string

The id of the rule

inlineFiltersstring

The filter for the rule represented in YAML

logTypesarray of string

log types

managedboolean

Determines if the simple rule is managed by panther

pythonBodystring

The python body of the rule

reportsobject

reports

runbookstring

How to handle the generated alert

severity*enum

INFOLOWMEDIUMHIGHCRITICAL

summaryAttributesarray of string

A list of fields in the event to create top 5 summaries for

tagsarray of string

The tags for the simple rule

testsarray of SimpleRuleAPI.UnitTest (object)

Unit tests for the Rule. Best practice is to include a positive and negative case

thresholdinteger

the number of events that must match before an alert is triggered

Response

200 returned if the item already existed

Body

SimpleRuleAPI.SimpleRulecreateResponseBody (any)

Request

Response

delete simple rule

DELETEhttps://your-api-host/simple-rules/{id}

Path parameters

id*string

ID of the simple rule to delete

Response

No Content response.

Request

Response

list simple rules

GEThttps://your-api-host/simple-rules

Query parameters

Response

OK response.

Body

nextstring

pagination token for the next page of results

resultsarray of SimpleRuleAPI.SimpleRulecreateResponseBody (any)

Request

Response

PreviousScheduled Rules NextPolicies

Last updated 6 months ago