Retrieving and Creating Alert rules via API

Yifan · ‎06-22-2022

- Api call add alert rule:

I want to create alert rules via API for the CSPM. Are there any examples for this? It's not clear to me how to populate:

alertRuleNotificationConfig

https://prisma.pan.dev/api/cloud/cspm/alert-rules#operation/add-alert-rule

POST https://{{api-endpoint}}/v2/alert/rule >> 405

Can we post events on this API endpoint?

- API call retrieving alert rule by ID:

GET https://{{api-endpoint}}/v1/alert/{{ruleid}} >> 404

The {id} which I retrieve with this API call:

https://prisma.pan.dev/api/cloud/cspm/alert-rules#operation/get-alert-rules-v2

Can any one verify that their api call are valid?

ENwankwo1 · ‎07-28-2022

Please follow Instructions on how to setup the Postman Collections and Environments relating to Prisma Cloud (including Compute Console) API requests.

[1] https://github.com/PaloAltoNetworks/pcs-postman

This is an easy way to use create alert rules via API for the CSPM.

Emmanuel Nwankwo

NNawaz · ‎09-13-2022

Greeting,

I highly recommend you review the following doc before Prisma Cloud API.
1- Access the Prisma Cloud REST API
2- Generate JWT Token in Prisma Cloud
3- Stack API based on STACKs

I have added the sample Payload for your convenience.

{
"alertRuleNotificationConfig": [
{
"detailedReport": false,
"enabled": false,
"includeRemediation": false,
"recipients": [
"user@email.com"
],
"type": "email",
"withCompression": false,
"frequency": "as_it_happens"
}
],
"allowAutoRemediate": false,
"delayNotificationMs": 0,
"description": "",
"enabled": true,
"name": "Test12",
"policies": [
"5cc78081-1006-4874-8b13-bd01583888c4"
],
"policyLabels": [],
"scanAll": false,
"target": {
"accountGroups": [
"41ec1962-2f54-49e7-b07e-d7ae1cacfd3d"
],
"excludedAccounts": [],
"regions": [],
"targetResourceList": {
"action": "AUTO_DISMISS",
"additionalNotes": "",
"approver": "",
"enabled": false,
"ids": [],
"reason": "",
"requestor": ""
},
"tags": []
},
"notifyOnDismissed": true,
"notifyOnOpen": true,
"notifyOnResolved": true,
"notifyOnSnoozed": true
}

POST https://{{api-endpoint}}/v2/alert/rule >> 405
Can we post events on this API endpoint?

No, we can't post to the above endpoint as API endpoint is missing.

Prisma Cloud API call is mainly based on the STACK for instance if I am on STACK APP2 the link would be https://api2.prismacloud.io/v2/alert/rule
or If I am using APP.EU the API call link would be https://api.eu.prismacloud.io/v2/alert/rule

API call retrieving alert rule by ID:

GET https://{{api-endpoint}}/v1/alert/{{ruleid}}

To run the following API call, firstly run the API call to get Alert ID.

My tenant is on APP3 so the API call would be https://api3.prismacloud.io/v2/alert/rule

Then use the following API call.

https://api3.prismacloud.io/v1/alert/{{ruleid}}

I hope this info will help.

Sr. Technical Support Engineer - Prisma Cloud | PCCSE

Retrieving and Creating Alert rules via API

Retrieving and Creating Alert rules via API

Show your appreciation!