Querying and Writing Detections for Panther Audit Logs
Monitor your Panther audit logs
Last updated
Was this helpful?
Monitor your Panther audit logs
Last updated
Was this helpful?
You can , meaning you can then interact with Panther audit logs in detections, data lake queries, and more.
Audit logs can be found in the data lake under panther_logs.panther_audit. The following query, executed in or , shows all audit events within the last day:
The result of this query would include several audit logs, an example of which can be seen below:
Audit logs can be leveraged to write powerful detections for generating alerts when an unusual or important action has been taken within Panther.
Let's write a detection that alerts when a detection has been deleted.
In the left-hand navigation bar of your Panther Console, click Detections.
On the Detections page, click Create New.
In the Select Detection Type modal, click Rule.
Enter a descriptive Name for your rule, e.g., Panther detection deleted.
In the Detect tile, click Python Editor.
In the code editor, enter the following Python code, which will generate an alert when a detection is deleted:
In the Create Alert tile, under Required Fields, select a Severity.
Scroll down to the Test tile, and click Add New.
In Step 1, you defined your detection and clicked Add New under Test to begin the process of testing.
Below, you will generate test data for the action you wrote a detection for. In the example, we defined a detection to check for the action of deleting a detection in the Panther Console.
In a separate browser tab, open your Panther Console. Perform the action you wrote a detection for to generate a test audit log.
In the example above, we defined a detection to check for the action of deleting a detection in the Panther Console. For this example, you would follow these steps:
Navigate to Build > Detections.
Create a test detection.
After successfully creating the detection, delete it.
In the left sidebar, click Investigate > Data Explorer.
Execute a query to find the audit log for the action you are testing against.
Based on our example, we will use the following query to check for the recently deleted detection:
If no results are returned, wait a few minutes and retry.
Copy the JSON object in the Data Explorer results representing this log. Navigate back to the detection you defined, then paste the JSON object into the Test text editor.
Leave the The detection should trigger based on the example event toggle set to YES.
Click Run Test.
In the upper-right corner of the page, click Deploy.
In the example above, we used a simple alert title:
You can construct a more descriptive alert title using the values found in the actionParams field within the audit log:
Under For the Following Source, in the Log Types dropdown, select Panther.Audit.
This code defines a simple title using the function. Learn how to create a more descriptive title below, in .
Continue in .
Verify that the detection runs as expected and the alert title appears as expected.
See the for more information on the audit log fields.
The actionParams field is different for each audited action. To understand what information is present in this field for a given action, and use the results to inform how you write detections for that action.
