How can I query my Panther Audit logs in the Data Explorer?

Last updated: September 3, 2024

QUESTION

How can I search my Panther Audit logs in the Data Explorer?

ANSWER

You can check your Panther Audit Logs in the Data Explorer with a query similar to the following:

SELECT
   *
FROM
   panther_logs.public.panther_audit
WHERE
actionParams:dynamic:input:id = 'Custom.Rule.Here' AND
   p_occurs_since('4 weeks')
ORDER by p_event_time ASC
LIMIT 10

Just replace the actionParams value with your desired Panther Audit Log action. For example, actionParams = 'GET_ALERT'.Also make sure to adjust the p_occurs_since as needed.