PantherFlow Statements
There are two types of PantherFlow query statements
Last updated
Was this helpful?
There are two types of PantherFlow query statements
Last updated
Was this helpful?
A PantherFlow query is composed of one or more statements. There are two types of statements: and .
Multiple statements in the same query must be separated by semicolons (;). The final statement does not need a semicolon.
A tabular expression statement is usually what comes to mind when you hear "piped query"—it's composed of a data source and typically one or more operators, separated by the pipe character (|). Each operator takes in data, performs its operation, then passes the transformed data on to the next operator.
Each PantherFlow query must specify a data source. It's possible to use any of the following as the data source:
Tabular expression statement
let statementsA let statement assigns a value to a variable that can be used in subsequent statements. let statements can define two types of variables:
Table variable: Represents a tabular expression, and can be later used like a table
Scalar variable: Represents a scalar value, or an expression that evaluates to a scalar value
Variables must be defined in a let statement before they are referenced. All let statements must end in a semicolon (;) when followed by another statement.
The tabular expression statement assigned to a table variable is not executed until the variable is referred to, or "called," in a subsequent statement.
Naming your query with a table variable can be useful when you:
Don't want to write out the same query more than once
Want to make it easier for others to understand what your query is doing
Examples
The following example declares a table variable, elbOK. Below, elbOK is executed exactly as it is defined in the let statement:
Here, an additional operator is applied to elbOK within the tabular expression statement:
A scalar variable is created when you assign a non-tabular expression to a variable. Scalar variables can then be referenced throughout subsequent queries.
Declaring scalar variables can be useful when you want to:
Make your queries more readable and maintainable, especially when using the same value multiple times
Name values that would otherwise be misunderstood
You can also use arithmetic expressions with scalar variables:
You can combine scalar and table variables for powerful queries:
Variable names must adhere to the following rules:
The first character must be a letter, underscore (_), or dollar sign ($).
Characters after the first character must be letters, numbers, or underscores.
Existing table names cannot be used as variable names.
For example, if a table already exists named aws_cloudtrail, you cannot use aws_cloudtrail as a variable name.
Once a variable name has been used, it cannot be used again in the same PantherFlow search. That is, variables cannot be redefined.
Examples
myVar123
123myVar (starts with number)
my_var
my-var (invalid character)
_my_var
my.var (invalid character)
$my_var
my_var$ ($ only allowed as first character)
A table variable is created when you assign a tabular expression statement to a variable using let. It can then be referred to like you would a tabular expression statement (i.e., it is one of the possible ).
You can use table variables wherever you would refer to a dataset, including with the :
Take note of the .
The following example declares a scalar variable, threshold, then references it in a clause:
The value of an scalar variable can use a , and a scalar variable can be used as a parameter to a function: