PantherFlow Quick Reference
Overview of PantherFlow functionality
Statements
PantherFlow queries are made up of one or more statements. There are two types of statements:
Tabular expression statement: Identifies a data source and can include operators separated by pipes
panther_logs.public.aws_cloudtrail | where accountId != '1234567' | summarize Count=agg.count() by eventName | extend tooHigh = Count > 100
Let statement: Assigns a tabular expression statement to a variable
let subquery_name = mytable | where foo == 'bar'; subquery_name | where baz == 'quark'
Operators
<from>
Get data from table
table1
Data types
1
, -1
1.0
, -1.0
'foo'
, "foo"
true
, false
time.parse_timestamp('2023-06-01 13:14:15.00Z')
, time.parse_timestamp('2023-06-01')
15s
, 2d
, time.parse_timespan('1d')
{key1: value1, key2: value2}
, object('key1', 'foo', 'key2', 1)
[A, B, C]
, array('apple', 'orange')
tableName
columnName
null
Expressions
References
Comparisons
Equality:
==
,!=
Boolean:
and
,or
,not
Numerical:
<
,<=
,>
,>=
,+
,-
,*
,/
,%
Arrays:
in
,not in
Between:
between
,not between
Functions
Aggregations
Date/time
Strings
Arrays
Math
Control flow
Data types
Other
Comments
Write a comment with two slashes:
// a comment
Last updated
Was this helpful?