QUESTION

How do I find all alerts for a particular alert ID, log type, or detection ID?

ANSWER

Query by log type in Data Explorer

You can run the following query via the Data Explorer in the Panther Console:

select distinct(p_alert_id) from panther_views.public.all_rule_matches
where p_log_type = 'MY LOG TYPE' 

Make sure you have DISTINCT followed after the SELECT statement if you want alerts and not all the contributing events of the alerts that are not filtered out by deduplication.

 

API query by log type

If you want to test out your query before running a script, be sure to take advantage of Panther's API playground and run a query similar to the following template:

query ListAlerts {
      alerts(input: {logTypes: "YOURLOGTYPE", createdAtBefore: "2022-01-01T00:00:00.000Z", createdAtAfter: "2022-01-01T00:00:00.000Z"}) {
        edges {
          node {
            id
            title
            severity
            
          }
        }
        pageInfo {
          hasNextPage
          endCursor
        }
      }
    }

Be sure to substitute your own time range and log type for the placeholder.

 

Query by Detection ID in Data Explorer

This is particularly helpful if you are checking whether a detection is noisy (generating a large volume of alerts). Use a query similar to the following to count the occurrences of a specific rule ID:

SELECT (DISTINCT p_alert_id)
FROM panther_views..all_rule_matches
WHERE p_occurs_since('4 weeks')
LIMIT 1000