PantherFlow Example Queries

Overview

See additional PantherFlow query examples on Scheduled Search Examples.

panther_audit query examples

Query the panther_logs.public.panther_audit table:

panther_logs.public.panther_audit

Return up to 10 results:

panther_logs.public.panther_audit
| limit 10

Sort by p_event_time:

panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10

Filter on the last 24 hours:

panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10

Filter on timestamp:

Filter on a nested field (using dot notation)

Filter on a nested field (using bracket notation)

Check that a deeply nested value within an array exists (i.e., is not null)

Count events:

Count number of actions:

Only show rare actions: