How can I query all my failed policy events in Panther for a specific policy?
To achieve this you can query the
panther_cloudsecurity.public.compliance_history table with a query similar to the one below in the Data Explorer:
- Adjust the
YOUR-POLICY-IDwith your policy ID
- If you wish to receive more than 200 results, adjust the LIMIT value accordingly
p_occurs_between('startTime, endTime') AND policyId = 'YOUR-POLICY-ID' AND status = 'FAIL'
ORDER by p_event_time ASC
Similarly, you can use the Search feature:
If you wish to investigate further an event from these results, you can copy the
resourceId value and paste it on the search bar of your Panther Console page Investigate > Cloud Resources.