How do I query alert events through the Panther API?
QUESTION
How do I query a list of events that match an alert ID?
ANSWER
This operation requires two API calls.
- Initiate the search with the following:
# `IssueDataLakeQuery` is a nickname for the operation
mutation IssueDataLakeQuery {
executeDataLakeQuery(input: {
sql: "select * from panther_rule_matches.public.<your_log_type> where p_alert_id = '<insert_alert_id>' limit 5"
}) {
id # the unique ID of the query
}
}
- Fetch the query results:
# `QueryResults` is a nickname for the operation
query QueryResults {
dataLakeQuery(id: "<insert unique id from previous query command>") { # the unique ID of the query
message
status
results {
edges {
node
}
}
}
}
If you want to use a different key, such as the detection ID, assignee ID, log source ID, or even the alert's title, you can utilize the associated AlertsInput field.
For example, if you want to retrieve all the alerts from the specified time period where the alert title contains "Panther SAML config has been modified," you can use the API call below, adjusting the createdAtAfter and createdAtBefore values:
query PaginateAlerts {
alerts(
input: {
createdAtAfter: "2023-06-14T21:00:00Z",
createdAtBefore: "2023-06-21T21:59:59Z",
nameContains: "Panther SAML config has been modifed"
}) {
edges {
node {
id
title
severity
status
}
}
pageInfo {
hasNextPage
endCursor
}
}
For more information about retrieving alerts with specific filtering keys check our knowledge base article "How do I find all alerts in Panther for a particular alert ID, detection ID, or log type?".