PantherFlow Quick Reference

Overview of PantherFlow functionality

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Statements

PantherFlow queries are made up of one or more statements. There are two types of statements:

Tabular expression statement: Identifies a data source and can include operators separated by pipes

panther_logs.public.aws_cloudtrail
| where accountId != '1234567'
| summarize Count=agg.count() by eventName
| extend tooHigh = Count > 100

Let statement: Assigns a tabular expression statement to a variable

let subquery_name = mytable
| where foo == 'bar';

subquery_name
| where baz == 'quark'

Operators

Name

Description

Example

<from>

Get data from table

table1

datatable

Use provided test data

datatable [{"foo":"bar"}]

extend

Add a new field

T | extend foo=bar

join

Join with another table

T | join kind:inner dest=(foo) on $left.id == $right.id

limit

Limit the number of rows

T | limit 10

project

Show only certain fields

T | project foo, bar

sort

Sort

T | sort time

search

Text search for a value

T | search 'foo'

summarize

Aggregate

T | summarize agg.count() by foo

union

Query multiple tables

T | union table1, table2

visualize

Generate chart

T | visualize line

where

Filter

T | where foo == bar

Data types

Data type

Example acceptable values

1, -1

1.0, -1.0

'foo', "foo"

true, false

time.parse_timestamp('2023-06-01 13:14:15.00Z'), time.parse_timestamp('2023-06-01')

Timespan

15s, 2d, time.parse_timespan('1d')

Object

{key1: value1, key2: value2}, object('key1', 'foo', 'key2', 1)

Array

[A, B, C], array('apple', 'orange')

Table

tableName

Column

columnName

Null

null

Expressions

References

Array: array[X]
Objects: object['X'], object.X

Comparisons

Equality: ==, !=
Boolean: and, or, not
Numerical: <, <=, >, >=, +, -, *, /, %
Arrays: in, not in
Between: between, not between

Functions

Aggregations

Date/time

Strings

Arrays

Math

math.round()

Control flow

case()

Data types

Other

Comments

Write a comment with two slashes:

// a comment

PreviousPantherFlow (Beta)NextPantherFlow Statements

Last updated 1 year ago

Was this helpful?

hashtagStatements

hashtagOperators

hashtagData types

hashtagExpressions

hashtagReferences

hashtagComparisons

hashtagFunctions

hashtagAggregations

hashtagDate/time

hashtagStrings

hashtagArrays

hashtagMath

hashtagControl flow

hashtagData types

hashtagOther

hashtagComments

Statements

Operators

Data types

Expressions

References

Comparisons

Functions

Aggregations

Date/time

Strings

Arrays

Math

Control flow

Data types

Other

Comments