PantherFlow Examples: SOC Operations

View log sources that last received data

union panther_logs.public.*
| where p_event_time > time.ago(1d)
| summarize last_received_data=agg.max(p_parse_time) by p_source_label, p_source_id
| sort last_received_data desc

This query leverages summarize, sort, and agg.max().

Example output:

Alert count by severity

panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| summarize alert_count = agg.count() by severity
| extend sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort sort_key asc
| visualize bar orientation=horizontal

This query leverages:

Operators where, summarize, extend, sort, visualize,
Functions: time.ago(), agg.count(), and case()

Example output:

Alerts by severity per day over the past two weeks

panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| extend bucket=time.trunc('day', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last 14 days"

This query leverages:

Operators: where, extend, summarize, sort, and visualize
Functions: time.ago(), time.trunc(), agg.count(), agg.sum(), and case()

Example output:\

Mean time to resolution by severity

let update_actions = panther_logs.public.panther_audit
| where actionName == 'UPDATE_ALERT_STATUS' and actionParams.dynamic.input.status == "RESOLVED" and p_event_time > time.ago(14d) 
| extend alertId = actionParams.dynamic.input.ids
| extend resolved_timestamp = timestamp
| project resolved_timestamp, actionParams, actionName, alertId;

let alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(365d)
| project creationTime, updateTime, status, severity, alertId;

alerts 
| join kind=inner record=(update_actions) on $left.alertId in $right.alertId
| extend resolved_timestamp = record.resolved_timestamp
| extend ttr = time.diff("m", creationTime, resolved_timestamp)
| summarize minutes=agg.avg(ttr) by severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort severity_sort_key asc
| visualize bar orientation=horizontal, legend=right, title="Mean Time (minutes) to Resolution by Severity"

This query leverages:

let statement functionality
Operators: where, extend, project, join, summarize, sort, and visualize
Functions: time.ago(), time.diff(), agg.avg(), and case()

Example output:

Alerts created per hour by severity

let all_times = range N from 0 to 23 step 1 
| project bucket=time.add(time.now(), -1*N, "h") 
| project bucket=time.trunc('hour', bucket);

let all_alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| summarize by severity;

let zeroes = all_times
| join kind=cross alerts=(all_alerts)
| project bucket, severity=alerts.severity, eventcount=0;

panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last day"

This query leverages:

let statement functionality
Operators: range, project, where, summarize, join, extend, union, sort, and visualize
Functions: time.trunc(), time.ago(), agg.count(), agg.sum(), case()

Example output:

PreviousPantherFlow Examples: Threat Hunting Scenarios NextPantherFlow Examples: Panther Audit Logs

Last updated 7 months ago

Was this helpful?