PantherFlow Examples: Panther Audit Logs

Query the panther_logs.public.panther_audit table:

panther_logs.public.panther_audit

Return up to 10 results:

panther_logs.public.panther_audit
| limit 10

Sort by p_event_time:

panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10

Filter on the last 24 hours:

panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10

Filter on timestamp:

panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| sort p_event_time desc
| limit 10

Filter on a nested field (using dot notation)

Filter on a nested field (using bracket notation)

Check that a deeply nested value within an array exists (i.e., is not null)

Count events:

Count number of actions:

Only show rare actions:

Show new IPs used by a user in the last 7 days vs. those they used in the last 60 days: