# PantherFlow Examples: SOC Operations

## View log sources that last received data

```kusto
union panther_logs.public.*
| where p_event_time > time.ago(1d)
| summarize last_received_data=agg.max(p_parse_time) by p_source_label, p_source_id
| sort last_received_data desc
```

This query leverages [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`agg.max()`](https://docs.panther.com/functions/aggregation#agg.max).

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-703e9985d179c56492c502d1b9c7cbae9921dcca%2FScreenshot%202025-03-12%20at%204.36.24%E2%80%AFPM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Alert count by severity

```kusto
panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| summarize alert_count = agg.count() by severity
| extend sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort sort_key asc
| visualize bar orientation=horizontal
```

This query leverages:

* Operators [`where`](https://docs.panther.com/pantherflow/operators/where), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`sort`](https://docs.panther.com/pantherflow/operators/sort), [`visualize`](https://docs.panther.com/pantherflow/operators/visualize),
* Functions: [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count), and [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-f3ea50a0d3c2fece91aae542573b46fe546e47f8%2FScreenshot%202025-03-18%20at%2010.34.28%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Alerts by severity per day over the past two weeks

```kusto
panther_signals.public.signal_alerts
| where p_event_time > time.ago(14d)
| extend bucket=time.trunc('day', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last 14 days"
```

This query leverages:

* Operators: [`where`](https://docs.panther.com/pantherflow/operators/where), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`visualize`](https://docs.panther.com/pantherflow/operators/visualize)
* Functions: [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`time.trunc()`](https://docs.panther.com/functions/date-time#time.trunc), [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count), [`agg.sum()`](https://docs.panther.com/functions/aggregation#agg.sum), and [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:\\

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-fec22b0856c85b563908b3eac93c82dec9af7259%2FScreenshot%202025-03-18%20at%2010.38.22%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Mean time to resolution by severity

```kusto
let update_actions = panther_logs.public.panther_audit
| where actionName == 'UPDATE_ALERT_STATUS' and actionParams.dynamic.input.status == "RESOLVED" and p_event_time > time.ago(14d) 
| extend alertId = actionParams.dynamic.input.ids
| extend resolved_timestamp = timestamp
| project resolved_timestamp, actionParams, actionName, alertId;

let alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(365d)
| project creationTime, updateTime, status, severity, alertId;

alerts 
| join kind=inner record=(update_actions) on $left.alertId in $right.alertId
| extend resolved_timestamp = record.resolved_timestamp
| extend ttr = time.diff("m", creationTime, resolved_timestamp)
| summarize minutes=agg.avg(ttr) by severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort severity_sort_key asc
| visualize bar orientation=horizontal, legend=right, title="Mean Time (minutes) to Resolution by Severity"
```

This query leverages:

* [`let` statement](https://docs.panther.com/statements#let-statements) functionality
* Operators: [`where`](https://docs.panther.com/pantherflow/operators/where), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`project`](https://docs.panther.com/pantherflow/operators/project), [`join`](https://docs.panther.com/pantherflow/operators/join), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`visualize`](https://docs.panther.com/pantherflow/operators/visualize)
* Functions: [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`time.diff()`](https://docs.panther.com/functions/date-time#time.diff), [`agg.avg()`](https://docs.panther.com/functions/aggregation#agg.avg), and [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3f3b4000e0ca3778bca0593ccd2340da6985e731%2FScreenshot%202025-03-18%20at%2010.47.16%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>

## Alerts created per hour by severity

```kusto
let all_times = range N from 0 to 23 step 1 
| project bucket=time.add(time.now(), -1*N, "h") 
| project bucket=time.trunc('hour', bucket);

let all_alerts = panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| summarize by severity;

let zeroes = all_times
| join kind=cross alerts=(all_alerts)
| project bucket, severity=alerts.severity, eventcount=0;

panther_signals.public.signal_alerts
| where p_event_time > time.ago(3d)
| extend bucket=time.trunc('hour', p_event_time)
| summarize eventcount=agg.count() by bucket, severity
| union zeroes
| summarize eventcount=agg.sum(eventcount) by bucket, severity
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort bucket asc, severity_sort_key asc
| visualize line xcolumn=bucket, ycolumn=eventcount, series=severity, legend=bottom, title="Count of Panther Alerts Per Day Severity Over Last day"
```

This query leverages:

* [`let` statement](https://docs.panther.com/statements#let-statements) functionality
* Operators: [`range`](https://docs.panther.com/pantherflow/operators/range), [`project`](https://docs.panther.com/pantherflow/operators/project), [`where`](https://docs.panther.com/pantherflow/operators/where), [`summarize`](https://docs.panther.com/pantherflow/operators/summarize), [`join`](https://docs.panther.com/pantherflow/operators/join), [`extend`](https://docs.panther.com/pantherflow/operators/extend), [`union`](https://docs.panther.com/pantherflow/operators/union), [`sort`](https://docs.panther.com/pantherflow/operators/sort), and [`visualize`](https://docs.panther.com/pantherflow/operators/visualize)
* Functions: [`time.trunc()`](https://docs.panther.com/functions/date-time#time.trunc), [`time.ago()`](https://docs.panther.com/functions/date-time#time.ago), [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count), [`agg.sum()`](https://docs.panther.com/functions/aggregation#agg.sum), [`case()`](https://docs.panther.com/functions/control-flow#case)

Example output:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-9f7205835adff3a9a17a3d5cc9635ca3dee6e131%2FScreenshot%202025-03-18%20at%2010.51.28%E2%80%AFAM.png?alt=media" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/pantherflow/example-queries/soc-operations.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.