Skip to main content
Panther Knowledge Base

How do scheduled rules with multiple associated scheduled queries work in Panther?


How do scheduled rules with multiple associated scheduled queries work? Does Panther allow results from the first query to be checked against the results of the second query? 


It's not possible for a rule to consider the results of two different schedule queries together. 

As a workaround, you could have one table that checks multiple tables in panther_rule_matches and then feed that into a scheduled rule. This would essentially push the work of grouping out of Python or some Panther construct, and into the scheduled query.

For example, instead of having two queries:
select * from panther_rule_matches.aws_cloudtrail where EXAMPLE
select * from panther_rule_matches.okta_systemlog where EXAMPLE

 You could have one query that groups them together:

with totals as (
with ct_matches as (
select * from panther_rule_matches.public.aws_cloudtrail limit 10
okta_matches as (
select * from panther_rule_matches.public.okta_systemlog limit 10
select p_rule_id, p_log_type from ct_matches
select p_rule_id, p_log_type from okta_matches
select count(distinct(p_log_type)) as matches from totals


Related: How does alert routing for scheduled rules work in Panther when a scheduled rule relies on queries from multiple log types?