PantherFlow Examples: Panther Audit Logs

panther_logs.public.panther_audit

panther_logs.public.panther_audit
| limit 10

panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10

panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| sort p_event_time desc
| limit 10

panther_logs.public.panther_audit
| where actor.name == "first.last@example.com"

panther_logs.public.panther_audit
| where actor['name'] == "first.last@example.com"

panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != null

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count()

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asc

let new_logins = panther_logs.public.panther_audit
| where p_event_time > time.ago(7d) and p_udm.user.email != null
| summarize recent_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email;

panther_logs.public.panther_audit
| where p_event_time > time.ago(60d) and p_event_time < time.ago(7d) and p_udm.user.email != null
| summarize baseline_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email
| join kind=inner new=(new_logins) on $left.email == $right.email
| where new.recent_ips[0] not in baseline_ips