panther_logs.public.panther_audit
| where actor.name == "first.last@example.com"
Filter on a nested field (using bracket notation)
panther_logs.public.panther_audit
| where actor['name'] == "first.last@example.com"
Check that a deeply nested value within an array exists (i.e., is not null)
panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != null
Count events:
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count()
Count number of actions:
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
Only show rare actions:
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asc
Show new IPs used by a user in the last 7 days vs. those they used in the last 60 days:
let new_logins = panther_logs.public.panther_audit
| where p_event_time > time.ago(7d) and p_udm.user.email != null
| summarize recent_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email;
panther_logs.public.panther_audit
| where p_event_time > time.ago(60d) and p_event_time < time.ago(7d) and p_udm.user.email != null
| summarize baseline_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email
| join kind=inner new=(new_logins) on $left.email == $right.email
| where new.recent_ips[0] not in baseline_ips
