PantherFlow Quick Reference

Overview of PantherFlow functionality

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Statements

PantherFlow queries are made up of one or more statements. There are two types of statements:

Tabular expression statement: Identifies a data source and can include operators separated by pipes

panther_logs.public.aws_cloudtrail
| where accountId != '1234567'
| summarize Count=agg.count() by eventName
| extend tooHigh = Count > 100

Let statement: Assigns a tabular expression statement to a variable

let subquery_name = mytable
| where foo == 'bar';

subquery_name
| where baz == 'quark'

Operators

Name Description Example

Name	Description	Example
<from>	Get data from table	`table1`
`datatable`	Use provided test data	`datatable [{"foo":"bar"}]`
`extend`	Add a new field	`T \| extend foo=bar`
`join`	Join with another table	`T \| join kind:inner dest=(foo) on $left.id == $right.id`
`limit`	Limit the number of rows	`T \| limit 10`
`project`	Show only certain fields	`T \| project foo, bar`
`sort`	Sort	`T \| sort time`
`search`	Text search for a value	`T \| search 'foo'`
`summarize`	Aggregate	`T \| summarize agg.count() by foo`
`union`	Query multiple tables	`T \| union table1, table2`
`where`	Filter	`T \| where foo == bar`

<from>

Get data from table

table1

datatable

Use provided test data

datatable [{"foo":"bar"}]

extend

Add a new field

T | extend foo=bar

join

Join with another table

T | join kind:inner dest=(foo) on $left.id == $right.id

limit

Limit the number of rows

T | limit 10

project

Show only certain fields

T | project foo, bar

sort

Sort

T | sort time

search

Text search for a value

T | search 'foo'

summarize

Aggregate

T | summarize agg.count() by foo

union

Query multiple tables

T | union table1, table2

where

Filter

T | where foo == bar

Data types

Data type Example acceptable values

Data type	Example acceptable values
Integer	`1`, `-1`
Double	`1.0`, `-1.0`
String	`'foo'`, `"foo"`
Boolean	`true`, `false`
Date	`2023-06-01`, `time.parse_date('2023-06-01')`
Timestamp	`2023-06-01`, `time.parse_timestamp('2023-06-01 13:14:15.00Z')`
Timespan	`15s`, `2d`, `time.parse_timespan('1d')`
Object	`{key1: value1, key2: value2}`, `object('key1', 'foo', 'key2', 1)`
Array	`[A, B, C]`, `array('apple', 'orange')`
Table	`tableName`
Column	`columnName`
Null	`null`

1, -1

1.0, -1.0

'foo', "foo"

true, false

2023-06-01, time.parse_date('2023-06-01')

Timestamp

2023-06-01, time.parse_timestamp('2023-06-01 13:14:15.00Z')