How can I query all my failed policy events in Panther for a specific policy?
To achieve this you can query the panther_cloudsecurity.public.compliance_history
table with a query similar to the one below in the Data Explorer:
Adjust thep_occurs_between('startTime, endTime')
Replace YOUR-POLICY-ID
with your policy ID
If you wish to receive more than 200 results, adjust the LIMIT value accordingly
SELECT *
FROM
panther_cloudsecurity.public.compliance_history
WHERE
p_occurs_between('startTime, endTime') AND policyId = 'YOUR-POLICY-ID' AND status = 'FAIL'
ORDER by p_event_time ASC
LIMIT 200
Similarly, you can use the Search feature:
If you wish to investigate further an event from these results, you can copy the resourceId
value and paste it on the search bar of your Panther Console page Investigate > Cloud Resources.