Skip to main content
Panther Knowledge Base

How do I investigate hits on a known bad IP address in Panther?

QUESTION

In the Panther Console, how do I find all “hits” on a known bad IP address to understand who is affected, and what the activity was?

ANSWER

To investigate an IP Address you will leverage Indicator Search or Data Explorer in the Panther Console. 

 

Investigate with Indicator Search

  1. Navigate to Investigate -> Indicator Search in the Panther Console.
  2. Input your IP address
  3. Select Field: Auto Detect Type and add in your look-back time range
  4. Search
  5. You can dig in deeper in the Data Explorer to see more detailed query results!

 

Investigate with Data Explorer

If you already know the IP address and you want go directly to querying the database for results via SQL, start with Investigate -> Data Explorer.

Run the following query but update the IP Address and then make sure you modify any additional limiting criteria like time windows, row limits, etc:

SELECT
p_event_time as i_event_time,p_any_ip_addresses as i_indicator,p_rule_id as i_rule_id,t.*
FROM panther_rule_matches.public.OKTA_SYSTEMLOG t
WHERE
ARRAY_CONTAINS('73.92.62.201'::variant,p_any_ip_addresses)
AND
p_occurs_between('2021-12-04 20:55:00Z','2022-03-04 20:55:59.999Z')
ORDER BY p_event_time desc
LIMIT 100

 

  • Was this article helpful?