How do I find all alerts in Panther for a particular alert ID or log type?

Last updated
Save as PDF

QUESTION

How do I find all alerts for a particular alert ID and/or log type?

ANSWER

There are two ways:

Option 1: You can run the following query via the Data Explorer in the Panther Console:

select distinct(p_alert_id) from panther_views.public.all_rule_matches
where p_log_type = 'MY LOG TYPE'

Make sure you have DISTINCT followed after the SELECT statement if you want alerts and not all the contributing events of the alerts that are not filtered out by deduplication.

Option 2: You can run an API query.

If you want to test out your query before running a script, be sure to take advantage of Panther's API playground and run a query similar to the following template:

query ListAlerts {
      alerts(input: {logTypes: "YOURLOGTYPE", createdAtBefore: "2022-01-01T00:00:00.000Z", createdAtAfter: "2022-01-01T00:00:00.000Z"}) {
        edges {
          node {
            id
            title
            severity
            
          }
        }
        pageInfo {
          hasNextPage
          endCursor
        }
      }
    }

Be sure to substitute your own time range and log type for the placeholder!