# PantherFlow 예제: SOC 운영
## 마지막으로 데이터를 수신한 로그 소스를 보기
```kusto
union panther_logs.public.*
| where p_event_time > time.ago(1d)
| summarize last_received_data=agg.max(p_parse_time) by p_source_label, p_source_id
| sort last_received_data desc
```
이 쿼리는 다음을 활용합니다 [`summarize`](/ko/pantherflow/operators/summarize.md), [`sort`](/ko/pantherflow/operators/sort.md), 그리고 [`agg.max()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.max).
예시 출력:
## 심각도별 알러트 수
```kusto
panther_signals.public.signal_알러트s
| where p_event_time > time.ago(14d)
| summarize 알러트_count = agg.count() by severity
| extend sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort sort_key asc
| visualize bar orientation=horizontal
```
이 쿼리는 다음을 활용합니다:
* 연산자 [`where`](/ko/pantherflow/operators/where.md), [`summarize`](/ko/pantherflow/operators/summarize.md), [`extend`](/ko/pantherflow/operators/extend.md), [`sort`](/ko/pantherflow/operators/sort.md), [`visualize`](/ko/pantherflow/operators/visualize.md),
* 함수: [`time.ago()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.ago), [`agg.count()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.count), 그리고 [`case()`](/ko/pantherflow/functions/control-flow.md#case)
예시 출력:
## 지난 2주 동안 하루별 심각도별 알러트
```kusto
panther_signals.public.signal_알러트s
| where p_event_time > time.ago(14d)
| extend bucket=time.trunc('day', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="지난 14일 동안 하루별 Panther 알러트 수"
```
이 쿼리는 다음을 활용합니다:
* 연산자: [`where`](/ko/pantherflow/operators/where.md), [`extend`](/ko/pantherflow/operators/extend.md), [`summarize`](/ko/pantherflow/operators/summarize.md), [`sort`](/ko/pantherflow/operators/sort.md), 그리고 [`visualize`](/ko/pantherflow/operators/visualize.md)
* 함수: [`time.ago()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.ago), [`time.trunc()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.trunc), [`agg.count()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.count), [`agg.sum()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.sum), 그리고 [`case()`](/ko/pantherflow/functions/control-flow.md#case)
출력 예:\\
## 심각도별 평균 해결 시간
```kusto
let update_actions = panther_logs.public.panther_audit
| where actionName == 'UPDATE_AL러트_STATUS' and actionParams.dynamic.input.status == "RESOLVED" and p_event_time > time.ago(14d)
| extend alertId = actionParams.dynamic.input.ids
| extend resolved_timestamp = timestamp
| project resolved_timestamp, actionParams, actionName, alertId;
let 알러트s = panther_signals.public.signal_알러트s
| where p_event_time > time.ago(365d)
| project creationTime, updateTime, status, severity, alertId;
알러트
| join kind=inner record=(update_actions) on $left.alertId in $right.alertId
| extend resolved_timestamp = record.resolved_timestamp
| extend ttr = time.diff("m", creationTime, resolved_timestamp)
| summarize minutes=agg.avg(ttr) by severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort severity_sort_key asc
| visualize bar orientation=horizontal, legend=right, title="심각도별 해결까지의 평균 시간(분)"
```
이 쿼리는 다음을 활용합니다:
* [`let` 문장](/ko/pantherflow/statements.md#let-statements) 기능
* 연산자: [`where`](/ko/pantherflow/operators/where.md), [`extend`](/ko/pantherflow/operators/extend.md), [`프로젝트`](/ko/pantherflow/operators/project.md), [`조인`](/ko/pantherflow/operators/join.md), [`summarize`](/ko/pantherflow/operators/summarize.md), [`sort`](/ko/pantherflow/operators/sort.md), 그리고 [`visualize`](/ko/pantherflow/operators/visualize.md)
* 함수: [`time.ago()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.ago), [`time.diff()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.diff), [`agg.avg()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.avg), 그리고 [`case()`](/ko/pantherflow/functions/control-flow.md#case)
예시 출력:
## 심각도별로 시간당 생성된 알림
```kusto
let all_times = range N from 0 to 23 step 1
| project bucket=time.add(time.now(), -1*N, "h")
| project bucket=time.trunc('hour', bucket);
let all_alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| summarize by severity;
let zeroes = all_times
| join kind=cross alerts=(all_alerts)
| project bucket, severity=alerts.severity, eventcount=0;
panther_signals.public.signal_알러트s
| where p_event_time > time.ago(3d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="지난 하루 동안 일별 Panther 알림 수(심각도별)"
```
이 쿼리는 다음을 활용합니다:
* [`let` 문장](/ko/pantherflow/statements.md#let-statements) 기능
* 연산자: [`range`](/ko/pantherflow/operators/range.md), [`프로젝트`](/ko/pantherflow/operators/project.md), [`where`](/ko/pantherflow/operators/where.md), [`summarize`](/ko/pantherflow/operators/summarize.md), [`조인`](/ko/pantherflow/operators/join.md), [`extend`](/ko/pantherflow/operators/extend.md), [`union`](/ko/pantherflow/operators/union.md), [`sort`](/ko/pantherflow/operators/sort.md), 그리고 [`visualize`](/ko/pantherflow/operators/visualize.md)
* 함수: [`time.trunc()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.trunc), [`time.ago()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/fd7f081827d975ce84e4194b201dbd8b50df09a1#time.ago), [`agg.count()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.count), [`agg.sum()`](https://docs.panther.com/ko/pantherflow/example-queries/pages/c558177b40b82223aa5247e48b550d9e8e0ee9b1#agg.sum), [`case()`](/ko/pantherflow/functions/control-flow.md#case)
예시 출력:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/ko/pantherflow/example-queries/soc-operations.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.