Finding Log Source Deletion Events in Panther Audit Logs
Last updated: June 3, 2025
How can I find log source deletion events in Panther audit logs?
Log source deletion events are tracked in Panther Audit Logs through different action names depending on how the deletion was performed. Here's how to find these events:
Audit Event Types for Log Source Deletions
Console deletions:
DELETE_LOG_SOURCEGraphQL API deletions, using the deleteSource mutation:
DELETE_LOG_SOURCE(includes additional action description)REST API deletions, using the delete operation:
PUBLIC_API_DELETE_LOG_SOURCE
Searching for Deletion Events
You can find these events using either the Search interface or Data Explorer:
Using Search
You can use either of these search operators:
is: DELETE_LOG_SOURCEhas substring: DELETE_LOG_SOURCE
Using Data Explorer
Run this query in Data Explorer to find deletion events:
SELECT *
FROM panther_logs.public.panther_audit
WHERE actionName LIKE '%DELETE_LOG_SOURCE%'
ORDER by p_event_time DESC
LIMIT 1000Note: Make sure that "Enable Panther Audit Logs" is turned ON in your Panther Console for these events to be recorded. You can verify this setting in your system configuration.