How do I correlate user activity across multiple alerts in Panther?
QUESTION
How do I correlate user activity across multiple alerts?
ANSWER
It's common for a single behavior to create multiple alerts within one or more log types. The steps below demonstrate correlating alerts in the Data Explorer from a single log type.
- While viewing an alert in the Panther Console, copy the username from either the event itself or the alert title (as shown below):
- Click View with Data Explorer to open a new page with the pre-populated query:
SELECT * FROM panther_rule_matches.public.aws_cloudtrail t WHERE t.p_alert_id='78e5281811c0aalbf26306ea82caee65' AND (p_alert_ update_time between '2022-10-14 15:33:072' AND '2022-10-14 15:33:08Z') LIMIT 100
- Keep track of the bolded fields above.
- Remove the Alert ID (
WHERE
) clause - Modify the timeframe to query events within several hours before the alert firing
- Add an (
AND
) clause for the username to correlate againstSELECT * FROM panther_rule_matches.public.aws_cloudtrail WHERE p_event_time between '2022-10-14 12:33:00Z' AND '2022-10-14 15:33:08Z' AND userIdentity:arn = 'arn:aws:iam::111222333444:user/user_name'
The resultant logs can then be further filtered and summarized to investigate activity across all CloudTrail logs.
Additionally, the following SELECT statement can speed up analysis by presenting important CloudTrail-specific fields:
SELECT p_event_time, p_rule_id, p_rule_severity, eventName, eventSource, requestParameters, errorCode, userIdentity FROM panther_rule_matches.public.aws_cloudtrail WHERE (p_event_time between '2022-10-14 12:33:00Z' AND '2022-10-14 15:33:08Z') AND userIdentity:arn = 'arn:aws:iam::111222333444:user/user_name' ORDER BY p_event_time ASC