View log sources that last received data
union panther_logs.public.*
| where p_event_time > time.ago(1d)
| summarize last_received_data=agg.max(p_parse_time) by p_source_label, p_source_id
| sort last_received_data desc
This query leverages , , and .
Example output:
Alert count by severity
panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| summarize alert_count = agg.count() by severity
| extend sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort sort_key asc
| visualize bar orientation=horizontal
This query leverages:
Example output:
Alerts by severity per day over the past two weeks
panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| extend bucket=time.trunc('day', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last 14 days"
This query leverages:
Example output:
Mean time to resolution by severity
let update_actions = panther_logs.public.panther_audit
| where actionName == 'UPDATE_ALERT_STATUS' and actionParams.dynamic.input.status == "RESOLVED" and p_event_time > time.ago(14d)
| extend alertId = actionParams.dynamic.input.ids
| extend resolved_timestamp = timestamp
| project resolved_timestamp, actionParams, actionName, alertId;
let alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(365d)
| project creationTime, updateTime, status, severity, alertId;
alerts
| join kind=inner record=(update_actions) on $left.alertId in $right.alertId
| extend resolved_timestamp = record.resolved_timestamp
| extend ttr = time.diff("m", creationTime, resolved_timestamp)
| summarize minutes=agg.avg(ttr) by severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort severity_sort_key asc
| visualize bar orientation=horizontal, legend=right, title="Mean Time (minutes) to Resolution by Severity"
This query leverages:
Example output:
Alerts created per hour by severity
let all_times = range N from 0 to 23 step 1
| project bucket=time.add(time.now(), -1*N, "h")
| project bucket=time.trunc('hour', bucket);
let all_alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| summarize by severity;
let zeroes = all_times
| join kind=cross alerts=(all_alerts)
| project bucket, severity=alerts.severity, eventcount=0;
panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last day"
This query leverages:
Example output:
