How do I query the alerts that matched a Panther rule in the API?
QUESTION
How do I query the alerts that matched a rule in Panther? For example, I want to query the alerts from the Okta API Key Created rule.
ANSWER
Locate the rule's ID and set that as the value for detectionId
in your query, as shown below.
query ListAlertsByRule { alerts(input:{ pageSize: 50, detectionId: "Okta.APIKeyCreated" }) { edges { node { id title createdAt severity status runbook reference } } pageInfo { hasNextPage endCursor } } }