How do I investigate hits on a known bad IP address in Panther?
QUESTION
In the Panther Console, how do I find all “hits” on a known bad IP address to understand who is affected, and what the activity was?
ANSWER
To investigate an IP Address you will leverage Search or Data Explorer in the Panther Console.
Investigate with Search
- Navigate to Investigate > Search in the Panther Console.
- Use the database filters in the upper right to select databases, tables, and a timeframe.
- Enter an IP address into the search bar.
- Click Search.
Optionally, you can click Copy as SQL below the Search button to copy the SQL query to your clipboard and use it in Data Explorer.
Investigate with Data Explorer
If you already know the IP address and you want to go directly to query the database for results via SQL, start with Investigate > Data Explorer.
Run the following query but update the IP Address and then make sure you modify any additional limiting criteria like time windows, row limits, etc:
SELECT
p_event_time as i_event_time,p_any_ip_addresses as i_indicator,p_rule_id as i_rule_id,t.*
FROM panther_rule_matches.public.OKTA_SYSTEMLOG t
WHERE
ARRAY_CONTAINS('73.92.62.201'::variant,p_any_ip_addresses)
AND
p_occurs_between('2021-12-04 20:55:00Z','2022-03-04 20:55:59.999Z')
ORDER BY p_event_time desc
LIMIT 100
Similarly, if you want to extract log events that occurred from this IP across multiple log sources, you can try:
SELECT *
FROM
panther_views.public.all_logs
WHERE
p_occurs_between('2021-12-04 20:55:00Z','2022-03-04 20:55:59.999Z')
AND
ARRAY_CONTAINS('73.92.62.201'::variant,p_any_ip_addresses)
ORDER by p_event_time ASC