Is there a way to query for information about detections from the Panther API or panther_analysis_tool
? I'd like to programmatically check if an alert exists, or if it's enabled, in my Panther system.
As of Panther version 1.98, you can interact with detections via the REST API. See Panther's REST API documentation for more information.
Similar functionality available from Panther's GraphQL API includes executing a data lake (Data Explorer) query using SQL. Using our article📄 How do I query alert events through the Panther API?as a reference, you can do something similar by using the table panther_rule_matches.public.okta_systemlog
. This way, you can retrieve information about rules, rule IDs, and times when that alerts were triggered for a given rule.
Please feel free to use the example query below, with modifications according to your needs.
# IssueDataLakeQuery is a nickname for the operation
mutation IssueDataLakeQuery {
executeDataLakeQuery(input: {
sql: "SELECT * FROM panther_views.public.all_rule_matches WHERE p_rule_id = 'your_rule_id' ORDER by p_event_time DESC LIMIT 20"
}) {
id # the unique ID of the query
}
}
# QueryResults is a nickname for the operation
query QueryResults {
dataLakeQuery(id: "the_id_retrieved_from_the_above_query") { # the unique ID of the query
message
status
results {
edges {
node
}
}
}
}