PantherFlow Examples: SOC Operations

View log sources that last received data

union panther_logs.public.*
| where p_event_time > time.ago(1d)
| summarize last_received_data=agg.max(p_parse_time) by p_source_label, p_source_id
| sort last_received_data desc

This query leverages summarize, sort, and agg.max().

Example output:

Alert count by severity

This query leverages:

• Operators where, summarize, extend, sort, visualize,

• Functions: time.ago(), agg.count(), and case()

Example output:

Alerts by severity per day over the past two weeks

This query leverages:

• Operators: where, extend, summarize, sort, and visualize

• Functions: time.ago(), time.trunc(), agg.count(), agg.sum(), and case()

Example output:\

Mean time to resolution by severity

This query leverages:

• let statement functionality

• Operators: where, extend, project, join, summarize, sort, and visualize

• Functions: time.ago(), time.diff(), agg.avg(), and case()

Example output:

Alerts created per hour by severity

This query leverages:

• let statement functionality

• Operators: range, project, where, summarize, join, extend, union, sort, and visualize

• Functions: time.trunc(), time.ago(), agg.count(), agg.sum(), case()

Example output: