How do I query the alerts that matched a Panther rule in the API?

Last updated: July 30, 2025

QUESTION

How do I query the alerts that matched a rule in Panther? For example, I want to query the alerts from the Okta API Key Created rule.

Screen Shot 2022-08-09 at 5.53.49 PM.png

ANSWER

This can be achieved using Panther's API — both GraphQL and REST API. You can locate the rule's ID, then set that as the value for detectionId in your query.

Here's an example of the GraphQL query:

query ListAlertsByRule {
  alerts(input:{
		pageSize: 50,
    detectionId: "Okta.APIKeyCreated"
  }) {
    edges {
      node {
        id
        title
        createdAt
        severity
		status
		runbook
		reference
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}