How do I find all alerts for a particular alert ID, log type, or detection ID?
You can run the following query via the Data Explorer in the Panther Console:
select distinct(p_alert_id) from panther_views.public.all_rule_matches
where p_log_type = 'MY LOG TYPE'
Make sure you have DISTINCT followed after the SELECT statement if you want alerts and not all the contributing events of the alerts that are not filtered out by deduplication.
If you want to test out your query before running a script, be sure to take advantage of Panther's API playground and run a query similar to the following template:
query ListAlerts {
alerts(input: {logTypes: "YOURLOGTYPE", createdAtBefore: "2022-01-01T00:00:00.000Z", createdAtAfter: "2022-01-01T00:00:00.000Z"}) {
edges {
node {
id
title
severity
}
}
pageInfo {
hasNextPage
endCursor
}
}
}
Be sure to substitute your own time range and log type for the placeholder.
This is particularly helpful if you are checking whether a detection is noisy (generating a large volume of alerts). Use a query similar to the following to count the occurrences of a specific rule ID:
SELECT (DISTINCT p_alert_id)
FROM panther_views..all_rule_matches
WHERE p_occurs_since('4 weeks')
LIMIT 1000