Skip to main content
Panther Knowledge Base

How can I query all my failed policy events in Panther for a specific policy?

  1. Last updated
  2. Save as PDF

QUESTION

How can I query all my failed policy events in Panther for a specific policy?

ANSWER

To achieve this you can query the panther_cloudsecurity.public.compliance_history table with a query similar to the one below in the Data Explorer:

  1. Adjust thep_occurs_between('startTime, endTime')
  2. Replace YOUR-POLICY-ID with your policy ID
  3. If you wish to receive more than 200 results, adjust the LIMIT value accordingly
SELECT *
FROM
panther_cloudsecurity.public.compliance_history
WHERE
p_occurs_between('startTime, endTime') AND policyId = 'YOUR-POLICY-ID' AND status = 'FAIL'
ORDER by p_event_time ASC
LIMIT 200

Similarly, you can use the Search feature:

Screenshot 2024-01-03 at 3.29.02 PM.png

If you wish to investigate further an event from these results, you can copy the resourceId value and paste it on the search bar of your Panther Console page Investigate > Cloud Resources.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.