How can I retrieve the full events associated with my Panther alert?
QUESTION
How can I retrieve the full events associated with my Panther alert?
ANSWER
There are multiple ways to retrieve the fulls event associated with your Panther alert, such as using the Data Explorer or the Panther API to execute a SQL query.
In the example below, we will use the Panther API in the API Playground to query the alert event.
Prerequisite
- You must have the ID of the alert
Step 1: Run IssueDataLakeQuery() using the alert ID
Learn more about the IssueDataLakeQuery mutation in the Panther API documentation for Data Lake Queries.
# IssueDataLakeQuery is a nickname for the operation
mutation IssueDataLakeQuery {
executeDataLakeQuery(input: {
sql: "SELECT p_event_time as p_timeline, * FROM panther_rule_errors.public.aws_cloudtrail WHERE p_alert_id = 'YOUR_ALERT_ID_HERE' ORDER by p_event_time ASC LIMIT 100"
}) {
id # the unique ID of the query
}
}
Step 2: Run QueryResults() using the query ID outputted from the previous step
Learn more about the QueryResults query in the Panther API documentation for Data Lake Queries.
# QueryResults is a nickname for the operation
query QueryResults {
dataLakeQuery(id: "YOUR_QUERY_ID_HERE") { # the unique ID of the query
message
status
results {
edges {
node
}
}
}
}
You can also see how to run data lake queries in NodeJS or Python programs in these end-to-end examples.