Simple Rules

REST API operations for Simple/YAML Rules

Overview

The /simple-rules REST API operations are in open beta starting with Panther version 1.98, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

Use these API operations to interact with rules created as Simple Detections in the CLI workflow or in the Panther Console's Simple Detection Builder.

The simple rule API entity is only applicable to rules that are Simple Detections. To interact with rules created in Python, see Rules.

To call the API, see the How to use the Panther REST API instructions—including directions for how to invoke it directly from this documentation page.

Required permissions

For GET operations, your API token must have the View Rules permission.
For POST, PUT, and DELETE operations, your API token must have the Manage Rules permission.

Operations

create simple rule

post

Authorizations

Query parameters

run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true

run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false

Body

alertContextstringOptional

The alert context represented in YAML

alertTitlestringOptional

The alert title represented in YAML

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the rule

detectionstringRequired

The yaml representation of the rule

displayNamestringOptional

The display name of the rule

dynamicSeveritiesstringOptional

The dynamic severity represented in YAML

enabledbooleanOptional

Determines whether or not the rule is active

groupBystringOptional

The key on an event to group by represented in YAML

idstringRequired

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the simple rule is managed by panther

pythonBodystringOptional

The python body of the rule

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the simple rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

Responses

200

OK response.

application/json

204

No Content response.

400

bad_request: Bad Request response.

application/json

409

exists: Conflict response.

application/json

post

POST /simple-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 529

{
  "alertContext": "text",
  "alertTitle": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "pythonBody": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

{
  "alertContext": "text",
  "alertTitle": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "pythonBody": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

get a simple rule

get

Authorizations

Path parameters

idstringRequired

ID of the rule to fetch

Query parameters

include-pythonbooleanOptional

determines if associated python for the generated rule is returned

Default: false

Responses

200

OK response.

application/json

404

not_found: Not Found response.

application/json

get

GET /simple-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

{
  "alertContext": "text",
  "alertTitle": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "pythonBody": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

put simple rule

put

put creates or updates a rule

Authorizations

Path parameters

idstringRequired

the id of the rule

Query parameters

run-tests-firstbooleanOptional

set this field to false to exclude running tests prior to saving

Default: true

run-tests-onlybooleanOptional

set this field to true if you want to run tests without saving

Default: false

Body

alertContextstringOptional

The alert context represented in YAML

alertTitlestringOptional

The alert title represented in YAML

dedupPeriodMinutesinteger · int64 · min: 1Optional

The amount of time in minutes for grouping alerts

Default: 60

descriptionstringOptional

The description of the rule

detectionstringRequired

The yaml representation of the rule

displayNamestringOptional

The display name of the rule

dynamicSeveritiesstringOptional

The dynamic severity represented in YAML

enabledbooleanOptional

Determines whether or not the rule is active

groupBystringOptional

The key on an event to group by represented in YAML

idstringRequired

The id of the rule

inlineFiltersstringOptional

The filter for the rule represented in YAML

logTypesstring[]Optional

log types

managedbooleanOptional

Determines if the simple rule is managed by panther

pythonBodystringOptional

The python body of the rule

runbookstringOptional

How to handle the generated alert

severitystring · enumRequiredPossible values:

summaryAttributesstring[]Optional

A list of fields in the event to create top 5 summaries for

tagsstring[]Optional

The tags for the simple rule

thresholdinteger · int64 · min: 1Optional

the number of events that must match before an alert is triggered

Default: 1

Responses

200

200 returned if the item already existed

application/json

201

201 returned if the item was created

application/json

204

No Content response.

400

bad_request: Bad Request response.

application/json

put

PUT /simple-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 529

{
  "alertContext": "text",
  "alertTitle": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "pythonBody": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

{
  "alertContext": "text",
  "alertTitle": "text",
  "createdAt": "text",
  "dedupPeriodMinutes": 60,
  "description": "text",
  "detection": "text",
  "displayName": "text",
  "dynamicSeverities": "text",
  "enabled": true,
  "groupBy": "text",
  "id": "text",
  "inlineFilters": "text",
  "lastModified": "text",
  "logTypes": [
    "text"
  ],
  "managed": true,
  "pythonBody": "text",
  "reports": {
    "ANY_ADDITIONAL_PROPERTY": [
      "text"
    ]
  },
  "runbook": "text",
  "severity": "INFO",
  "summaryAttributes": [
    "text"
  ],
  "tags": [
    "text"
  ],
  "tests": [
    {
      "expectedResult": true,
      "mocks": [
        {
          "ANY_ADDITIONAL_PROPERTY": "text"
        }
      ],
      "name": "text",
      "resource": "text"
    }
  ],
  "threshold": 1
}

delete simple rule

delete

Authorizations

Path parameters

idstringRequired

ID of the simple rule to delete

Responses

204

No Content response.

400

bad_request: Bad Request response.

application/json

404

not_found: Not Found response.

application/json

delete

DELETE /simple-rules/{id} HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

No content

list simple rules

get

Authorizations

Query parameters

cursorstringOptional

the pagination token

limitinteger · int64Optional

the maximum results to return

Default: 100

include-pythonbooleanOptional

determines if associated python for the generated rule is returned

Default: false

Responses

200

OK response.

application/json

get

GET /simple-rules HTTP/1.1
Host: your-api-host
X-API-Key: YOUR_API_KEY
Accept: */*

200

OK response.

{
  "next": "text",
  "results": [
    {
      "alertContext": "text",
      "alertTitle": "text",
      "createdAt": "text",
      "dedupPeriodMinutes": 60,
      "description": "text",
      "detection": "text",
      "displayName": "text",
      "dynamicSeverities": "text",
      "enabled": true,
      "groupBy": "text",
      "id": "text",
      "inlineFilters": "text",
      "lastModified": "text",
      "logTypes": [
        "text"
      ],
      "managed": true,
      "pythonBody": "text",
      "reports": {
        "ANY_ADDITIONAL_PROPERTY": [
          "text"
        ]
      },
      "runbook": "text",
      "severity": "INFO",
      "summaryAttributes": [
        "text"
      ],
      "tags": [
        "text"
      ],
      "tests": [
        {
          "expectedResult": true,
          "mocks": [
            {
              "ANY_ADDITIONAL_PROPERTY": "text"
            }
          ],
          "name": "text",
          "resource": "text"
        }
      ],
      "threshold": 1
    }
  ]
}

PreviousScheduled Rules NextPolicies

Last updated 4 months ago

Was this helpful?