How do I investigate hits on a known bad IP address in Panther?

Last updated
Save as PDF

QUESTION

In the Panther Console, how do I find all “hits” on a known bad IP address to understand who is affected, and what the activity was?

ANSWER

To investigate an IP Address you will leverage Indicator Search or Data Explorer in the Panther Console.

Investigate with Indicator Search

Navigate to Investigate -> Indicator Search in the Panther Console.
Input your IP address
Select Field: Auto Detect Type and add in your look-back time range
Search
You can dig in deeper in the Data Explorer to see more detailed query results!

Investigate with Data Explorer

If you already know the IP address and you want go directly to querying the database for results via SQL, start with Investigate -> Data Explorer.

Run the following query but update the IP Address and then make sure you modify any additional limiting criteria like time windows, row limits, etc:

SELECT p_event_time as i_event_time,p_any_ip_addresses as i_indicator,p_rule_id as i_rule_id,t.* FROM panther_rule_matches.public.OKTA_SYSTEMLOG t WHERE ARRAY_CONTAINS('73.92.62.201'::variant,p_any_ip_addresses) AND p_occurs_between('2021-12-04 20:55:00Z','2022-03-04 20:55:59.999Z') ORDER BY p_event_time desc LIMIT 100