# PantherFlow Examples: SOC Operations

## View log sources that last received data

```kusto
union panther_logs.public.*
| where p_event_time > time.ago(1d)
| summarize last_received_data=agg.max(p_parse_time) by p_source_label, p_source_id
| sort last_received_data desc
```

This query leverages [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`agg.max()`](https://docs.panther.com/functions/aggregation#agg.max).

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-703e9985d179c56492c502d1b9c7cbae9921dcca%2FScreenshot%202025-03-12%20at%204.36.24%E2%80%AFPM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Alert count by severity

```kusto
panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| summarize alert_count = agg.count() by severity
| extend sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort sort_key asc
| visualize bar orientation=horizontal
```

This query leverages:

* Operators [`where`](https://docs.panther.com/pantherflow/operators/where), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`sort`](https://docs.panther.com/pantherflow/operators/sort), [`visualize`](https://docs.panther.com/pantherflow/operators/visualize),
* Functions: [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count), and [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-f3ea50a0d3c2fece91aae542573b46fe546e47f8%2FScreenshot%202025-03-18%20at%2010.34.28%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Alerts by severity per day over the past two weeks

```kusto
panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| extend bucket=time.trunc('day', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last 14 days"
```

This query leverages:

* Operators: [`where`](https://docs.panther.com/pantherflow/operators/where), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`visualize`](https://docs.panther.com/pantherflow/operators/visualize)
* Functions: [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`time.trunc()`](https://docs.panther.com/functions/date-time#time.trunc), [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count), [`agg.sum()`](https://docs.panther.com/functions/aggregation#agg.sum), and [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:\\

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-fec22b0856c85b563908b3eac93c82dec9af7259%2FScreenshot%202025-03-18%20at%2010.38.22%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Mean time to resolution by severity

```kusto
let update_actions = panther_logs.public.panther_audit
| where actionName == 'UPDATE_ALERT_STATUS' and actionParams.dynamic.input.status == "RESOLVED" and p_event_time > time.ago(14d) 
| extend alertId = actionParams.dynamic.input.ids
| extend resolved_timestamp = timestamp
| project resolved_timestamp, actionParams, actionName, alertId;

let alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(365d)
| project creationTime, updateTime, status, severity, alertId;

alerts 
| join kind=inner record=(update_actions) on $left.alertId in $right.alertId
| extend resolved_timestamp = record.resolved_timestamp
| extend ttr = time.diff("m", creationTime, resolved_timestamp)
| summarize minutes=agg.avg(ttr) by severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort severity_sort_key asc
| visualize bar orientation=horizontal, legend=right, title="Mean Time (minutes) to Resolution by Severity"
```

This query leverages:

* [`let` statement](https://docs.panther.com/statements#let-statements) functionality
* Operators: [`where`](https://docs.panther.com/pantherflow/operators/where), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`project`](https://docs.panther.com/pantherflow/operators/project), [`join`](https://docs.panther.com/pantherflow/operators/join), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`visualize`](https://docs.panther.com/pantherflow/operators/visualize)
* Functions: [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`time.diff()`](https://docs.panther.com/functions/date-time#time.diff), [`agg.avg()`](https://docs.panther.com/functions/aggregation#agg.avg), and [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3f3b4000e0ca3778bca0593ccd2340da6985e731%2FScreenshot%202025-03-18%20at%2010.47.16%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Alerts created per hour by severity

```kusto
let all_times = range N from 0 to 23 step 1 
| project bucket=time.add(time.now(), -1*N, "h") 
| project bucket=time.trunc('hour', bucket);

let all_alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| summarize by severity;

let zeroes = all_times
| join kind=cross alerts=(all_alerts)
| project bucket, severity=alerts.severity, eventcount=0;

panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last day"
```

This query leverages:

* [`let` statement](https://docs.panther.com/statements#let-statements) functionality
* Operators: [`range`](https://docs.panther.com/pantherflow/operators/range), [`project`](https://docs.panther.com/pantherflow/operators/project), [`where`](https://docs.panther.com/pantherflow/operators/where), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`join`](https://docs.panther.com/pantherflow/operators/join), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`union`](https://docs.panther.com/pantherflow/operators/union), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`visualize`](https://docs.panther.com/pantherflow/operators/visualize)
* Functions: [`time.trunc()`](https://docs.panther.com/functions/date-time#time.trunc), [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count), [`agg.sum()`](https://docs.panther.com/functions/aggregation#agg.sum), [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-9f7205835adff3a9a17a3d5cc9635ca3dee6e131%2FScreenshot%202025-03-18%20at%2010.51.28%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>