Skip to main content
Panther Knowledge Base

How do I query alert events through the Panther API?

QUESTION

 How do I query a list of events that match an alert ID?

ANSWER

This operation requires two API calls. First, initiate the search with the following:

# `IssueDataLakeQuery` is a nickname for the operation
mutation IssueDataLakeQuery {
  executeDataLakeQuery(input: {
    sql: "select * from panther_rule_matches.public.<your_log_type> where p_alert_id = '<insert_alert_id>' limit 5"
  }) {
     id # the unique ID of the query
  }
}

Then, fetch the query results with this:

# `QueryResults` is a nickname for the operation
query QueryResults {
  dataLakeQuery(id: "<insert unique id from previous query command>") { # the unique ID of the query
    message
    status
    results {
      edges {
        node
      }
    }
  }
}