PantherFlow Quick Reference

Overview of PantherFlow functionality

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Statements

PantherFlow queries are made up of one or more statements. There are two types of statements:

: Identifies a data source and can include operators separated by pipes

panther_logs.public.aws_cloudtrail
| where accountId != '1234567'
| summarize Count=agg.count() by eventName
| extend tooHigh = Count > 100

: Assigns a tabular expression statement to a variable

let subquery_name = mytable
| where foo == 'bar';

subquery_name
| where baz == 'quark'

Operators

Name

Description

Example

<from>

Get data from table

table1

datatable

Use provided test data

datatable [{"foo":"bar"}]

extend

Add a new field

T | extend foo=bar

join

Join with another table

T | join kind:inner dest=(foo) on $left.id == $right.id

limit

Limit the number of rows

T | limit 10

project

Show only certain fields

T | project foo, bar

sort

Sort

T | sort time

search

Text search for a value

T | search 'foo'

summarize

Aggregate

T | summarize agg.count() by foo

union

Query multiple tables

T | union table1, table2

visualize

Generate chart

T | visualize line

where

Filter

T | where foo == bar

Data types

Data type

Example acceptable values

1, -1

1.0, -1.0

'foo', "foo"

true, false

time.parse_timestamp('2023-06-01 13:14:15.00Z'), time.parse_timestamp('2023-06-01')

15s, 2d, time.parse_timespan('1d')

{key1: value1, key2: value2}, object('key1', 'foo', 'key2', 1)

[A, B, C], array('apple', 'orange')

tableName

columnName

null

Expressions

References

Comparisons

Functions

Aggregations

Date/time

Strings

Arrays

Math

Control flow

Data types

Other

Comments

Write a comment with two slashes:

// a comment

PreviousPantherFlow (Beta)NextPantherFlow Statements

Last updated 3 months ago

Was this helpful?