Simple Rules
REST API operations for Simple/YAML Rules
Last updated
Was this helpful?
REST API operations for Simple/YAML Rules
Last updated
Was this helpful?
The /simple-rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.
Use these API operations to interact with rules created as Simple Detections in the CLI workflow or in the Panther Console's Simple Detection Builder.
The simple rule API entity is only applicable to rules that are Simple Detections. To interact with rules created in Python, see Rules.
To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.
For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.
the pagination token
the maximum results to return
determines if associated python for the generated rule is returned
set this field to false to exclude running tests prior to saving
set this field to true if you want to run tests without saving
The alert context represented in YAML
The alert title represented in YAML
The amount of time in minutes for grouping alerts
The description of the rule
The yaml representation of the rule
The display name of the rule
The dynamic severity represented in YAML
Determines whether or not the rule is active
The key on an event to group by represented in YAML
The id of the rule
The filter for the rule represented in YAML
log types
Determines if the simple rule is managed by panther
The python body of the rule
reports
How to handle the generated alert
INFO, LOW, MEDIUM, HIGH, CRITICALA list of fields in the event to create top 5 summaries for
The tags for the simple rule
Unit tests for the Rule. Best practice is to include a positive and negative case
the number of events that must match before an alert is triggered
put creates or updates a rule
the id of the rule
set this field to false to exclude running tests prior to saving
set this field to true if you want to run tests without saving
The alert context represented in YAML
The alert title represented in YAML
The amount of time in minutes for grouping alerts
The description of the rule
The yaml representation of the rule
The display name of the rule
The dynamic severity represented in YAML
Determines whether or not the rule is active
The key on an event to group by represented in YAML
The id of the rule
The filter for the rule represented in YAML
log types
Determines if the simple rule is managed by panther
The python body of the rule
reports
How to handle the generated alert
INFO, LOW, MEDIUM, HIGH, CRITICALA list of fields in the event to create top 5 summaries for
The tags for the simple rule
Unit tests for the Rule. Best practice is to include a positive and negative case
the number of events that must match before an alert is triggered