So far I have used scheduled rules with queries that return only one row. What will be inside of the event
on the Python side of a scheduled rule when the query results in more than 1 row, e.g. x
rows? Will the Python code run x
times and every time the event will be a different row corresponding to the query output or will the Python code run 1 time, with an event containing a list of JSON objects, having each object representing a row coming from the query?
In general, every time a Scheduled Query runs, the matching rows will be passed through the rules engine (see📄 Do I need a Scheduled Query in order to use a Scheduled Rule in Panther?). If the Scheduled Rule returns any hits, one or more alerts will be generated from the data. Scheduled rules work by accepting individual rows output from an associated Scheduled Search.
Rules and scheduled rules each analyze one event at a time. If the Scheduled Search returns multiple rows, each row is processed by the rule logic as a separate event so the scheduled rule will be getting one single event at a time.
Based on the above details, the answer to the initial question is that the Python code will run x
times and every time the event will be a different row corresponding to the query output.