Saved and Scheduled Queries
Scheduled Queries allow you to use saved SQL queries instead of streaming data as a feed into Panther's rules engine using Scheduled Rules.
Below is an overview of the Scheduled Query creation process:
- 1.Save a SQL query and enable a schedule, called a Scheduled Query.
- 2.Create a Scheduled Rule detection and target the Scheduled Query created in the first step.
- Every time the Scheduled Query runs, the matching rows will be passed through the rules engine.
- If the Scheduled Rule returns any hits, one or more Alerts will be generated from the data and dispatched accordingly.
By default, new accounts will have a limit of 10 scheduled queries. This limit is only precautionary, and can be increased via a support request. There is no additional cost from Panther for raising this limit, however you may incur extra charges from the database backend depending on the volume of data processed. For examples of scheduled queries, please see the documentation: Scheduled Queries and Rules.
Panther Analysis Tool
- 1.Log in to the Panther Console and click Data > Data Explorer in the left sidebar.
- 2.Enter a new query.
- 3.Below the code editor, click Save As.
- 4.In the "Save Query" window, fill in the form:
- Query Name: Add a descriptive name.
- Description: Describe the purpose of the query.
- Tags: Add tags to help you group similar queries together.
- Is this a scheduled query?: If you want to use this as a Scheduled Query, switch the toggle to ON.
- When you switch this toggle to ON, the options described below will appear.
- Period (select if your query should run on fixed time intervals):
- Period(days) and Period(min): Enter the number of days and/or minutes after which the SQL query should run again. For example: setting a period of 0 days and 30 minutes will mean that the query will run every day, every 30 minutes.
- Timeout(min): Enter the timeout period in minutes, with a maximum allowed value of 10 minutes. If your query does not complete inside the allowed time window, Panther will retry 3 times before automatically canceling it.
- Cron Expression (select if your query should run repeatedly at specific dates):
- Minutes and Hours: Enter the time of day for the query to run.
- Day and Month (day of month): If you wish to have this query run on a specific day and month, enter the day and month.
- Day (day of week): If you wish to have this query run on a specific day of the week, enter the day.
- Timeout: Enter the timeout period in minutes, with a maximum allowed value of 10 minutes. If your query does not complete inside the allowed time window, Panther will retry 3 times before automatically canceling it.
- 5.Click Save Query.
Each saved query consists of:
- A YAML file (
.jsonextension) containing metadata attributes of the Scheduled Query.
We also recommend managing these files in a version control system (VCS). Most commonly we see GitHub or GitLab used, which are managed git providers.
- Create a metadata file using the template below:
Description: Example of a scheduled query for PAT
- Your query appears here
- Same query appears here
- Your tags
CronExpression: "0 0 29 2 *"
- Use the PAT upload command:
panther_analysis_tool upload --path <path-to-your-query> --api-token <your-api-token> --api-host https://api.<your-panther-instance-name>.runpanther.net/public/graphql
- Replace the values:
<your-panther-instance-name>: The fairytale name of your instance (e.g. carrot-tuna.runpanther.net).
<path-to-your-query>: The path to your Saved Query on your own machine.
When your Scheduled Query is uploaded, each of the fields you would normally populate in the Panther Console will be auto-filled. See Scheduled Query Specification Reference for a complete list of required and optional fields.
Panther's Scheduled Query Crontab uses the standard crontab notation consisting of five fields: minutes, hours, day of month, month, day of week. Additionally, you will find a query timeout selector (with a maximum value currently set at 10 minutes). The expression will run on UTC.
The interpreter uses a subset of the standard crontab notation:
┌───────── minute (0 - 59)
│ ┌──────── hour (0 - 23)
│ │ ┌────── day of month (1 - 31)
│ │ │ ┌──── month (1 - 12)
│ │ │ │ ┌── day of week (0 - 6 => Sunday - Saturday)
│ │ │ │ │
↓ ↓ ↓ ↓ ↓
* * * * *
If you want to specify day by day, you can separate days with dashes (
1-5is Monday through Friday) or commas, for example
Day of Weekfield will execute the command only on Sundays, Mondays and Thursdays. Currently, we do not support using named days of the week or month names.
Using the crontab allows you to be more specific in your schedule than the Period frequency option:
Setting up a Scheduled Query makes the data available to the rule engine, but in order for Panther to actually use the data, a Scheduled Rule must be set up to use the Scheduled Query.
To create a scheduled rule:
- 1.Log in to the Panther Console and click Detections in the left sidebar menu.
- 2.Click Create New to create a new Detection.
- 3.Choose Scheduled Rule for the type.
- Fill out the form to give the rule a Severity and a Unique ID, and optionally a Display Name, Description, Runbook, Reference, Events Threshold, Custom Tags, Destination Overrides, Deduplication Period, and Summary Attributes.
- 4.Click the Scheduled Queries dropdown and select the previously saved scheduled query for the rule to run on.
- 5.Click the Functions & Tests tab. Enter your own custom Python code, or if all your filtering logic is already taken care of in the SQL, you can make sure that the event is set to return
truefor each row:def rule(event):return True
- 7.Click Save in the upper right side of the page when you are finished.
As soon as you click Save, the rule will become active and be run over the SQL at an interval detected by the run frequency of the scheduled query, assuming any rows are returned by the query.
After the scheduled query has a chance to run again, if the SQL returned any rows and the Python rule conditions were met, you should see rule matches starting to populate:
For queries that return multiple rows, each row is treated like a separate event and is processed by the rule. The number of alerts returned depends on the deduplication settings you configured. For example, you might have no deduplication configured and receive one alert for each row, or you can deduplicate by time and receive one alert for all rows combined.
You can delete queries individually or in bulk. Please note that scheduled queries must be unlinked from their respective rules in order to be deleted. This is to prevent users from accidentally erasing queries used by Scheduled Rules.
- 1.Log in to the Panther Console, then navigate to Data > Saved Queries.
- 2.In the list of Scheduled Queries, check the box next to the queries you want to delete.
- 3.In the upper right, click the Mass Action dropdown. Select Delete to delete, or Download to download the query.
- 4.In the upper right, click Apply.
- 5.In the popup that appears, click Confirm.
- 1.Log in to the Panther Console, then navigate to Data > Saved Queries.
- 2.Click ... in the upper right corner of the Scheduled Query that you want to deactivate.
- 3.In the dropdown menu, click Edit Query Metadata.
- 4.In the Update Query form, toggle the setting Is it active? to OFF to disable the query.
- 5.Click Update Query to save your changes.
To edit the name, tags, description, default data base, whether it's a scheduled query or active, the period, and the cron expression:
- 1.While viewing the Saved Query list, locate the query you wish to edit.
- 2.Click ... in the upper right corner of the query.
- 3.In the dropdown menu that appears, click Edit Query Metadata.
- 4.Make changes in the Update Query form as needed.
- 5.Click Update Query.
You can check the boxes next to Saved Queries to bulk-delete or to download multiple Saved Queries at once. Note that scheduled queries must be unlinked from their respective rules in order to be deleted.
- 1.In the Saved Queries page, check the box next to a query or multiple queries.
- 2.In the upper right corner, click the Mass Action dropdown menu. Select Delete or Download.
- 3.Click Apply.
In the Saved Query screen you can search for queries using:
- The search bar at the top of the queries list
- The date range selector in the upper right
- The Filters option in the upper right
- Filter by whether the query is scheduled or active, or filter by up to 100 tags.
Click on the name of the Saved Query to go directly to Data Explorer with the query pre-populated in the code editor.
In the Panther Data Lake settings page, you can optionally enable a setting that will check if a scheduled query has a LIMIT clause specified. Use this option if you're concerned about a scheduled query unintentionally returning thousands of results, potentially resulting in alert delays, Denial of Service (DoS) for downstream systems and general cleanup overhead from poorly tuned queries.
- 1.In the upper right corner of the Panther Console, click the gear icon. In the dropdown menu that appears, click General.
- 2.Click the Data Lake tab.
- 3.Scroll down to the "Scheduled Queries" header. Below the header, you will see the LIMIT clause toggle setting:
- 4.Next to "LIMIT Clause for Scheduled Queries," toggle the setting to ON to start enforcing LIMITs in Scheduled Queries going forward.
When set to ON, any new scheduled queries marked as "Active" cannot be saved unless a LIMIT clause is specified in the query definition.
Existing scheduled queries without a LIMIT clause will appear with a warning message in the list of Saved Queries, and edits cannot be saved unless a LIMIT clause is included.
The setting only checks for the existence of a LIMIT clause anywhere in the Saved Query. It does not check specifically for outer LIMIT clauses.
Required fields are in bold.
A complete list of scheduled query specification fields: