How can I identify recently deleted log sources in the "Ingestion By Log Source" graph in the Panther Dashboard?
To do this you’ll have to perform two queries: The first query is used to find the recently deleted log source by finding the actionParams.id
.
For example:
SELECT
p_event_time as p_timeline,
*
FROM
panther_logs.public.panther_audit
WHERE actionName like 'DELETE_LOG_SOURCE'
ORDER by p_event_time DESC
LIMIT 10
After running this query, you can do testing to find a actionsParams.id
that corresponds to a former log source that received logs (e.g some log sources might have been accidentally set up with no events ever being ingested), or you can paste all your IDs in the same query.
Once you have found an actionParams.id
that matches a log source that formerly received logs, your next query should look like this:
SELECT *
FROM panther_views.public.all_logs
WHERE p_source_id like '<actionparamsid>' or p_source_id like '<actionparamsid2>'
LIMIT 1
After performing that query, look for the p_source_id field as that should contain the name of the log source you deleted.