Rules

REST API operations for rules

Overview

The /rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with rules in Panther.

The rules API entity is only applicable to Python rules. To interact with rules created as Simple/YAML rules, see Simple Rules.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

  • For GET operations, your API token must have the View Rules permission.

  • For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

create rule

post
Authorizations
Query parameters
run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true
run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false
Body
bodystringRequired

The python body of the rule

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60
descriptionstringOptional

The description of the rule

displayNamestringOptional

The display name of the rule

enabledbooleanOptional

Determines whether or not the rule is active

idstringRequired

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the rule is managed by panther

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:
summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1
Responses
200
OK response.
application/json
post
POST /rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 418

{
  "body": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}
{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

get rule

get
Authorizations
Path parameters
idstringRequired

ID of the rule to fetch

Responses
200
OK response.
application/json
get
GET /rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

put rule

put

put creates or updates a rule

Authorizations
Path parameters
idstringRequired

the id of the rule

Query parameters
run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true
run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false
Body
bodystringRequired

The python body of the rule

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60
descriptionstringOptional

The description of the rule

displayNamestringOptional

The display name of the rule

enabledbooleanOptional

Determines whether or not the rule is active

idstringRequired

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the rule is managed by panther

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:
summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1
Responses
200
200 returned if the item already existed
application/json
put
PUT /rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 418

{
  "body": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}
{
  "body": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "displayName": "text",
  "enabled": true,
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

delete rule

delete
Authorizations
Path parameters
idstringRequired

ID of the rule to delete

Responses
204
No Content response.
delete
DELETE /rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

No content

list rules

get
Authorizations
Query parameters
cursorstringOptional

the pagination token

limitinteger · int64Optional

the maximum results to return

Default: 100
Responses
200
OK response.
application/json
get
GET /rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*
200

OK response.

{
  "next": "text",
  "results": [
    {
      "body": "text",
      "createdAt": "text",
      "dedupPeriodMinutes": 60,
      "description": "text",
      "displayName": "text",
      "enabled": true,
      "id": "text",
      "inlineFilters": "text",
      "lastModified": "text",
      "logTypes": [
        "text"
      ],
      "managed": true,
      "reports": {
        "ANY_ADDITIONAL_PROPERTY": [
          "text"
        ]
      },
      "runbook": "text",
      "severity": "INFO",
      "summaryAttributes": [
        "text"
      ],
      "tags": [
        "text"
      ],
      "tests": [
        {
          "expectedResult": true,
          "mocks": [
            {
              "ANY_ADDITIONAL_PROPERTY": "text"
            }
          ],
          "name": "text",
          "resource": "text"
        }
      ],
      "threshold": 1
    }
  ]
}

Last updated

Was this helpful?

#2402: Closed beta: AI Event Summaries

Change request updated