PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Overview
See additional PantherFlow query examples on Scheduled Search Examples .
panther_audit query examples
Query the panther_logs.public.panther_audit table:
Copy panther_logs.public.panther_audit Return up to 10 results:
Copy panther_logs.public.panther_audit
| limit 10 Sort by p_event_time:
Copy panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10 Filter on the last 24 hours:
Copy panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10 Filter on timestamp:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| sort p_event_time desc
| limit 10 Filter on a nested field (using dot notation)
Copy panther_logs.public.panther_audit
| where actor.name == "[email protected] " Filter on a nested field (using bracket notation)
Copy panther_logs.public.panther_audit
| where actor['name'] == "[email protected] " Check that a deeply nested value within an array exists (i.e., is not null)
Copy panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != null Count events:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count() Count number of actions:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName Only show rare actions:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asc 
