PantherFlow Quick Reference

Overview of PantherFlow functionality

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Statements

PantherFlow queries are made up of one or more statements. There are two types of statements:

Tabular expression statement: Identifies a data source and can include operators separated by pipes

panther_logs.public.aws_cloudtrail
| where accountId != '1234567'
| summarize Count=agg.count() by eventName
| extend tooHigh = Count > 100

Let statement: Assigns a tabular expression statement to a variable

let subquery_name = mytable
| where foo == 'bar';

subquery_name
| where baz == 'quark'

Operators

Name Description Example

Name	Description	Example
<from>	Get data from table	`table1`
	Use provided test data	`datatable [{"foo":"bar"}]`
	Add a new field	`T \| extend foo=bar`
	Join with another table	`T \| join kind:inner dest=(foo) on $left.id == $right.id`
	Limit the number of rows	`T \| limit 10`
	Show only certain fields	`T \| project foo, bar`
	Sort	`T \| sort time`
	Text search for a value	`T \| search 'foo'`
	Aggregate	`T \| summarize agg.count() by foo`
	Query multiple tables	`T \| union table1, table2`
	Filter	`T \| where foo == bar`

<from>

Get data from table

table1

Use provided test data

datatable [{"foo":"bar"}]

Add a new field

T | extend foo=bar

Join with another table

T | join kind:inner dest=(foo) on $left.id == $right.id

Limit the number of rows

T | limit 10

Show only certain fields

T | project foo, bar

Sort

T | sort time

Text search for a value

T | search 'foo'

Aggregate

T | summarize agg.count() by foo

Query multiple tables

T | union table1, table2

Filter

T | where foo == bar

Data types

Data type Example acceptable values

Data type	Example acceptable values
	`1`, `-1`
	`1.0`, `-1.0`
	`'foo'`, `"foo"`
	`true`, `false`
	`2023-06-01`, `time.parse_date('2023-06-01')`
	`2023-06-01`, `time.parse_timestamp('2023-06-01 13:14:15.00Z')`
	`15s`, `2d`, `time.parse_timespan('1d')`
	`{key1: value1, key2: value2}`, `object('key1', 'foo', 'key2', 1)`
	`[A, B, C]`, `array('apple', 'orange')`
	`tableName`
	`columnName`
	`null`

1, -1

1.0, -1.0

'foo', "foo"

true, false

2023-06-01, time.parse_date('2023-06-01')

2023-06-01, time.parse_timestamp('2023-06-01 13:14:15.00Z')

15s, 2d, time.parse_timespan('1d')

{key1: value1, key2: value2}, object('key1', 'foo', 'key2', 1)

[A, B, C], array('apple', 'orange')

tableName

columnName

null

Expressions

References

Array: array[X]
Objects: object['X'], object.X

Comparisons

Equality: ==, !=
Boolean: and, or, not
Numerical: <, <=, >, >=, +, -, *, /, %
Arrays: in, not in
Between: between, not between

Functions

Aggregations

Date/time

Strings

Arrays

Math

math.round()

Control flow

case()

Data types

Other

Comments

Write a comment with two slashes:

// a comment

PreviousPantherFlow NextPantherFlow Statements

Last updated 1 month ago