How do I find all alerts in Panther for a particular alert ID, detection ID, or log type?
QUESTION
How do I find all alerts for a particular alert ID, log type, or detection ID?
ANSWER
Query by log type in Data Explorer
You can run the following query via the Data Explorer in the Panther Console:
select distinct(p_alert_id) from panther_views.public.all_rule_matches where p_log_type = 'MY LOG TYPE'
Make sure you have DISTINCT followed after the SELECT statement if you want alerts and not all the contributing events of the alerts that are not filtered out by deduplication.
API query by log type
If you want to test out your query before running a script, be sure to take advantage of Panther's API playground and run a query similar to the following template:
query ListAlerts {
alerts(input: {logTypes: "YOURLOGTYPE", createdAtBefore: "2022-01-01T00:00:00.000Z", createdAtAfter: "2022-01-01T00:00:00.000Z"}) {
edges {
node {
id
title
severity
}
}
pageInfo {
hasNextPage
endCursor
}
}
}
Be sure to substitute your own time range and log type for the placeholder.
Query by Detection ID in Data Explorer
This is particularly helpful if you are checking whether a detection is noisy (generating a large volume of alerts). Use a query similar to the following to count the occurrences of a specific rule ID:
SELECT (DISTINCT p_alert_id)
FROM panther_views..all_rule_matches
WHERE p_occurs_since('4 weeks')
LIMIT 1000