How do I investigate hits on a known bad IP address in Panther?
QUESTION
In the Panther Console, how do I find all “hits” on a known bad IP address to understand who is affected, and what the activity was?
ANSWER
To investigate an IP Address you will leverage Search or Data Explorer in the Panther Console.
Investigate with Search
- Navigate to Investigate > Search in the Panther Console.
- Use the database filters in the upper right to select databases, tables, and a timeframe.
- Enter an IP address into the search bar.
- Click Search.
Optionally, you can click Copy as SQL below the Search button to copy the SQL query to your clipboard and use it in Data Explorer.
Investigate with Data Explorer
If you already know the IP address and you want to go directly to query the database for results via SQL, start with Investigate > Data Explorer.
Run the following query but update the IP Address and then make sure you modify any additional limiting criteria like time windows, row limits, etc:
SELECT p_event_time as i_event_time,p_any_ip_addresses as i_indicator,p_rule_id as i_rule_id,t.* FROM panther_rule_matches.public.OKTA_SYSTEMLOG t WHERE ARRAY_CONTAINS('73.92.62.201'::variant,p_any_ip_addresses) AND p_occurs_between('2021-12-04 20:55:00Z','2022-03-04 20:55:59.999Z') ORDER BY p_event_time desc LIMIT 100
Similarly, if you want to extract log events that occurred from this IP across multiple log sources, you can try:
SELECT * FROM panther_views.public.all_logs WHERE p_occurs_between('2021-12-04 20:55:00Z','2022-03-04 20:55:59.999Z') AND ARRAY_CONTAINS('73.92.62.201'::variant,p_any_ip_addresses) ORDER by p_event_time ASC