QUESTION

 How do I query the alerts that matched a rule in Panther? For example, I want to query the alerts from the Okta API Key Created rule.

Screen Shot 2022-08-09 at 5.53.49 PM.png

ANSWER

  Locate the rule's ID, then set that as the value for detectionId in your query, as shown below.

query ListAlertsByRule {
  alerts(input:{
		pageSize: 50,
    detectionId: "Okta.APIKeyCreated"
  }) {
    edges {
      node {
        id
        title
        createdAt
        severity
		status
		runbook
		reference
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}