PantherFlow Quick Reference

Statements

PantherFlow queries are made up of one or more statements. There are two types of statements:

• Tabular expression statement: Identifies a data source and can include operators separated by pipes

  Copy

  panther_logs.public.aws_cloudtrail
  | where accountId != '1234567'
  | summarize Count=agg.count() by eventName
  | extend tooHigh = Count > 100

• Let statement: Assigns a tabular expression or a scalar expression to a variable

  Copy

  // Defining a table variable
  let subquery_name = mytable
  | where foo == 'bar';
  
  // Defining a scalar variable
  let my_search_term = 'quark'
  
  // Referencing table variable and scalar variable
  subquery_name
  | where baz == my_search_term

Operators

Data types

Expressions

References

• Array: array[X]

• Objects: object['X'], object.X

Comparisons

• Equality: ==, !=

• Boolean: and, or, not

• Numerical: <, <=, >, >=, +, -, *, /, %

• Arrays: in, not in

• Between: between, not between

Functions

• Anonymous functions: fn ([arg1] [, arg2...]]) { <expr> }

Functions

Aggregations

• agg.avg()

• agg.count()

• agg.count_distinct()

• agg.make_set()

• agg.max()

• agg.min()

• agg.percentile_cont()

• agg.stddev()

• agg.sum()

• agg.take_any()

Date/time

• time.add()

• time.ago()

• time.diff()

• time.now()

• time.parse_timespan()

• time.parse_timestamp()

• time.slice()

• time.trunc()

Strings

• strings.cat()

• strings.contains()

• strings.ends_with()

• strings.ilike()

• strings.join()

• strings.len()

• strings.like()

• strings.lower()

• strings.split()

• strings.starts_with()

• strings.upper()

Arrays

• arrays.difference()

• arrays.filter()

• arrays.flatten()

• arrays.intersection()

• arrays.len()

• arrays.map()

• arrays.overlap()

• arrays.sort()

• arrays.union()

Math

• math.abs()

• math.ceil()

• math.floor()

• math.round()

Control flow

• case()

Data types

• array()

• object()

Other

• coalesce()

• toscalar()

Comments

Write a comment with two slashes: