PantherFlow Statements

Overview

A PantherFlow query is composed of one or more statements. There are two types of statements: tabular expression statements and let statements.

Multiple statements in the same query must be separated by semicolons (;). The final statement does not need a semicolon.

Tabular expression statements

A tabular expression statement is usually what comes to mind when you hear "piped query." It is composed of a data source and typically one or more operators, separated by the pipe character (|). Each operator takes in data, performs its operation, then passes the transformed data on to the next operator.

panther_logs.public.aws_cloudtrail
| where accountId != '1234567'
| summarize Count=agg.count() by eventName
| extend tooHigh = Count > 100
| where tooHigh
| sort Count
| limit 10

let statements

A let statement assigns a tabular expression statement to a variable. It can then be referred to and used like a table. A let statement is not executed until it is referred to, or "called," in a subsequent statement.

If a let statement is called by a following tabular expression statement, the let statement must end in a semicolon (;).

Naming your query can be useful when you:

• Don’t want to write out the same query more than once

• Want to make it easier for others to understand what your query is doing

Example

The following example declares a query named elbOK, then refers to it later.

In this example, elbOK is executed exactly as it is defined in the let statement:

let elbOK = panther_logs.public.aws_alb
| where elbStatusCode == 200;

elbOK

Here, an additional operator is applied to elbOK within the tabular expression statement:

let elbOK = panther_logs.public.aws_alb
| where elbStatusCode == 200;

elbOK 
| where p_event_time > time.ago(1h)