PantherFlow Example Queries

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Overview

See additional PantherFlow query examples on Scheduled Search Examples.

`panther_audit` query examples

Query the panther_logs.public.panther_audit table:

panther_logs.public.panther_audit

Return up to 10 results:

panther_logs.public.panther_audit
| limit 10

Sort by p_event_time:

panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10

Filter on the last 24 hours:

panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10

Filter on timestamp:

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| sort p_event_time desc
| limit 10

Filter on a nested field (using dot notation)

panther_logs.public.panther_audit
| where actor.name == "[email protected]"

Filter on a nested field (using bracket notation)

panther_logs.public.panther_audit
| where actor['name'] == "[email protected]"

Check that a deeply nested value within an array exists (i.e., is not null)

panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != null

Count events:

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count()

Count number of actions:

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName

Only show rare actions:

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asc

PreviousOther Functions NextEnrichment

Last updated 1 year ago

Was this helpful?