Overview
See additional PantherFlow query examples on Scheduled Search Examples .
panther_audit query examples
Query the panther_logs.public.panther_audit table:
Copy panther_logs.public.panther_audit Return up to 10 results:
Copy panther_logs.public.panther_audit
| limit 10 Sort by p_event_time:
Copy panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10 Filter on the last 24 hours:
Copy panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10 Filter on timestamp:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| sort p_event_time desc
| limit 10 Filter on a nested field (using dot notation)
Copy panther_logs.public.panther_audit
| where actor.name == "first.last@example.com" Filter on a nested field (using bracket notation)
Copy panther_logs.public.panther_audit
| where actor['name'] == "first.last@example.com" Check that a deeply nested value within an array exists (i.e., is not null)
Copy panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != null Count events:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count() Count number of actions:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName Only show rare actions:
Copy panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asc Last updated 5 months ago
