How do I query alert events through the Panther API?
QUESTION
How do I query a list of events that match an alert ID?
ANSWER
This operation requires two API calls. First, initiate the search with the following:
# `IssueDataLakeQuery` is a nickname for the operation mutation IssueDataLakeQuery { executeDataLakeQuery(input: { sql: "select * from panther_rule_matches.public.<your_log_type> where p_alert_id = '<insert_alert_id>' limit 5" }) { id # the unique ID of the query } }
Then, fetch the query results with this:
# `QueryResults` is a nickname for the operation query QueryResults { dataLakeQuery(id: "<insert unique id from previous query command>") { # the unique ID of the query message status results { edges { node } } } }