How do I investigate hits on a known bad IP address in Panther?
In the Panther Console, how do I find all “hits” on a known bad IP address to understand who is affected, and what the activity was?
To investigate an IP Address you will leverage Indicator Search or Data Explorer in the Panther Console.
Investigate with Indicator Search
- Navigate to Investigate -> Indicator Search in the Panther Console.
- Input your IP address
- Select Field: Auto Detect Type and add in your look-back time range
- You can dig in deeper in the Data Explorer to see more detailed query results!
Investigate with Data Explorer
If you already know the IP address and you want go directly to querying the database for results via SQL, start with Investigate -> Data Explorer.
Run the following query but update the IP Address and then make sure you modify any additional limiting criteria like time windows, row limits, etc:
p_event_time as i_event_time,p_any_ip_addresses as i_indicator,p_rule_id as i_rule_id,t.*
FROM panther_rule_matches.public.OKTA_SYSTEMLOG t
p_occurs_between('2021-12-04 20:55:00Z','2022-03-04 20:55:59.999Z')
ORDER BY p_event_time desc