Rules
REST API operations for rules
Overview
Use these API operations to interact with rules in Panther.
The rules API entity is only applicable to Python rules. To interact with rules created as Simple/YAML rules, see Simple Rules.
To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.
Required permissions
For
GEToperations, your API token must have theView Rulespermission.For
POST,PUT, andDELETEoperations, your API token must have theManage Rulespermission.
Operations
set this field to false to exclude running tests prior to saving
trueset this field to true if you want to run tests without saving
falseThe python body of the rule
The amount of time in minutes for grouping alerts
60The description of the rule
The display name of the rule
Determines whether or not the rule is active
The id of the rule
The filter for the rule represented in YAML
log types
Determines if the rule is managed by panther
How to handle the generated alert
A list of fields in the event to create top 5 summaries for
The tags for the rule
the number of events that must match before an alert is triggered
1OK response.
No Content response.
bad_request: Bad Request response.
exists: Conflict response.
POST /rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 418
{
"body": "text",
"dedupPeriodMinutes": 60,
"description": "text",
"displayName": "text",
"enabled": true,
"id": "text",
"inlineFilters": "text",
"logTypes": [
"text"
],
"managed": true,
"reports": {
"ANY_ADDITIONAL_PROPERTY": [
"text"
]
},
"runbook": "text",
"severity": "INFO",
"summaryAttributes": [
"text"
],
"tags": [
"text"
],
"tests": [
{
"expectedResult": true,
"mocks": [
{
"ANY_ADDITIONAL_PROPERTY": "text"
}
],
"name": "text",
"resource": "text"
}
],
"threshold": 1
}{
"body": "text",
"createdAt": "text",
"dedupPeriodMinutes": 60,
"description": "text",
"displayName": "text",
"enabled": true,
"id": "text",
"inlineFilters": "text",
"lastModified": "text",
"logTypes": [
"text"
],
"managed": true,
"reports": {
"ANY_ADDITIONAL_PROPERTY": [
"text"
]
},
"runbook": "text",
"severity": "INFO",
"summaryAttributes": [
"text"
],
"tags": [
"text"
],
"tests": [
{
"expectedResult": true,
"mocks": [
{
"ANY_ADDITIONAL_PROPERTY": "text"
}
],
"name": "text",
"resource": "text"
}
],
"threshold": 1
}ID of the rule to fetch
OK response.
not_found: Not Found response.
GET /rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
{
"body": "text",
"createdAt": "text",
"dedupPeriodMinutes": 60,
"description": "text",
"displayName": "text",
"enabled": true,
"id": "text",
"inlineFilters": "text",
"lastModified": "text",
"logTypes": [
"text"
],
"managed": true,
"reports": {
"ANY_ADDITIONAL_PROPERTY": [
"text"
]
},
"runbook": "text",
"severity": "INFO",
"summaryAttributes": [
"text"
],
"tags": [
"text"
],
"tests": [
{
"expectedResult": true,
"mocks": [
{
"ANY_ADDITIONAL_PROPERTY": "text"
}
],
"name": "text",
"resource": "text"
}
],
"threshold": 1
}put creates or updates a rule
the id of the rule
set this field to false to exclude running tests prior to saving
trueset this field to true if you want to run tests without saving
falseThe python body of the rule
The amount of time in minutes for grouping alerts
60The description of the rule
The display name of the rule
Determines whether or not the rule is active
The id of the rule
The filter for the rule represented in YAML
log types
Determines if the rule is managed by panther
How to handle the generated alert
A list of fields in the event to create top 5 summaries for
The tags for the rule
the number of events that must match before an alert is triggered
1200 returned if the item already existed
201 returned if the item was created
No Content response.
bad_request: Bad Request response.
PUT /rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 418
{
"body": "text",
"dedupPeriodMinutes": 60,
"description": "text",
"displayName": "text",
"enabled": true,
"id": "text",
"inlineFilters": "text",
"logTypes": [
"text"
],
"managed": true,
"reports": {
"ANY_ADDITIONAL_PROPERTY": [
"text"
]
},
"runbook": "text",
"severity": "INFO",
"summaryAttributes": [
"text"
],
"tags": [
"text"
],
"tests": [
{
"expectedResult": true,
"mocks": [
{
"ANY_ADDITIONAL_PROPERTY": "text"
}
],
"name": "text",
"resource": "text"
}
],
"threshold": 1
}{
"body": "text",
"createdAt": "text",
"dedupPeriodMinutes": 60,
"description": "text",
"displayName": "text",
"enabled": true,
"id": "text",
"inlineFilters": "text",
"lastModified": "text",
"logTypes": [
"text"
],
"managed": true,
"reports": {
"ANY_ADDITIONAL_PROPERTY": [
"text"
]
},
"runbook": "text",
"severity": "INFO",
"summaryAttributes": [
"text"
],
"tags": [
"text"
],
"tests": [
{
"expectedResult": true,
"mocks": [
{
"ANY_ADDITIONAL_PROPERTY": "text"
}
],
"name": "text",
"resource": "text"
}
],
"threshold": 1
}ID of the rule to delete
No Content response.
No content
bad_request: Bad Request response.
not_found: Not Found response.
DELETE /rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
No content
the pagination token
the maximum results to return
100OK response.
GET /rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
OK response.
{
"next": "text",
"results": [
{
"body": "text",
"createdAt": "text",
"dedupPeriodMinutes": 60,
"description": "text",
"displayName": "text",
"enabled": true,
"id": "text",
"inlineFilters": "text",
"lastModified": "text",
"logTypes": [
"text"
],
"managed": true,
"reports": {
"ANY_ADDITIONAL_PROPERTY": [
"text"
]
},
"runbook": "text",
"severity": "INFO",
"summaryAttributes": [
"text"
],
"tags": [
"text"
],
"tests": [
{
"expectedResult": true,
"mocks": [
{
"ANY_ADDITIONAL_PROPERTY": "text"
}
],
"name": "text",
"resource": "text"
}
],
"threshold": 1
}
]
}Last updated
Was this helpful?