get_rule_alert_metrics

Analyze alert metrics by detection rule to identify trends and hotspots across all alert types, including system and detection errors, within a specified time period. Group data by custom intervals for detailed insights into security monitoring patterns.

Instructions

Gets alert metrics grouped by detection rule for ALL alert types, including alerts, detection errors, and system errors within a given time period. Use this tool to identify hot spots in alerts and use list_alerts for specific alert details.

Returns: Dict: - alerts_per_rule: List of series with entityId, label, and value - total_alerts: Total number of alerts in the period - start_date: Start date of the period - end_date: End date of the period - interval_in_minutes: Grouping interval for the metrics - rule_ids: List of rule IDs if provided

Permissions:{'all_of': ['Read Panther Metrics']}

Input Schema

Name	Required	Description
`end_date`	No	Optional end date in ISO-8601 format. If provided, defaults to the end of the current day UTC.
`interval_in_minutes`	No	Intervals for aggregating data points. Smaller intervals provide more granular detail of when events occurred, while larger intervals show broader trends but obscure the precise timing of incidents.
`rule_ids`	No	A valid JSON list of Panther rule IDs to get metrics for
`start_date`	No	Optional start date in ISO-8601 format. If provided, defaults to the start of the current day UTC.

Input Schema (JSON Schema)

{
  "properties": {
    "end_date": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": null,
      "description": "Optional end date in ISO-8601 format. If provided, defaults to the end of the current day UTC.",
      "examples": [
        "2024-03-20T00:00:00Z"
      ],
      "title": "End Date"
    },
    "interval_in_minutes": {
      "default": 15,
      "description": "Intervals for aggregating data points. Smaller intervals provide more granular detail of when events occurred, while larger intervals show broader trends but obscure the precise timing of incidents.",
      "examples": [
        15,
        30,
        60,
        180,
        360,
        720,
        1440
      ],
      "title": "Interval In Minutes",
      "type": "integer"
    },
    "rule_ids": {
      "default": [],
      "description": "A valid JSON list of Panther rule IDs to get metrics for",
      "examples": [
        [
          "AppOmni.Alert.Passthrough",
          "Auth0.MFA.Policy.Disabled"
        ]
      ],
      "items": {
        "type": "string"
      },
      "title": "Rule Ids",
      "type": "array"
    },
    "start_date": {
      "anyOf": [
        {
          "type": "string"
        },
        {
          "type": "null"
        }
      ],
      "default": null,
      "description": "Optional start date in ISO-8601 format. If provided, defaults to the start of the current day UTC.",
      "examples": [
        "2024-03-20T00:00:00Z"
      ],
      "title": "Start Date"
    }
  },
  "type": "object"
}

Panther MCP Server