Skip to main content
Panther Knowledge Base

How can I identify recently deleted log sources in the "Ingestion By Log Source" graph in the Panther Dashboard?

  1. Last updated
  2. Save as PDF

QUESTION

How can I identify recently deleted log sources in the "Ingestion By Log Source" graph in the Panther Dashboard?

ANSWER

To do this you’ll have to perform two queries: The first query is used to find the recently deleted log source by finding the actionParams.id

For example:

SELECT
   p_event_time as p_timeline,
   *
FROM
   panther_logs.public.panther_audit
WHERE  actionName like 'DELETE_LOG_SOURCE'
ORDER by p_event_time DESC
LIMIT 10

After running this query, you can do testing to find a actionsParams.id that corresponds to a former log source that received logs (e.g some log sources might have been accidentally set up with no events ever being ingested), or you can paste all your IDs in the same query. 

Once you have found an actionParams.id that matches a log source that formerly received logs, your next query should look like this:

SELECT *
FROM panther_views.public.all_logs
WHERE p_source_id like '<actionparamsid>' or p_source_id like '<actionparamsid2>'
LIMIT 1

After performing that query, look for the p_source_id field as that should contain the name of the log source you deleted.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.