Skip to main content
Panther Knowledge Base

Can I view the data stored in the Panther KV cache?


Can I view the data stored in the key value (KV) cache used by my stateful detections in Panther?


Yes, you can view the data in your KV cache by following these steps:

  1. Open a request with Panther Support to get access to the panther_kv_table_role IAM role in your Panther AWS account.
  2. Once you've been provided with the role ARN, assume the role from inside the AWS Console or on the command line, by following the instructions below.
How to assume the IAM role
AWS Console

See "Switching to a role (console)" in the AWS documentation.


See "Configuring and using a role" in the Using an IAM role in the AWS CLI documentation.

  1. Add the following profile to your AWS config file:
    [profile panther_kv_table_role_profile]
    role_arn = arn:aws:iam::198655972778:role/panther_kv_table_role
    credential_source = Environment

  2. Run your AWS CLI command with --profile:
    • Scan the whole table:
      aws dynamodb scan --profile panther_kv_table_role_profile --table-name panther-kv-store
    • Query with Key Condition Expression where the key is '':aws dynamodb query --key-condition-expression "#key = :k" --expression-attribute-names "#key = key" --expression-attribute-values '{":k": {"S": ""}}' --profile panther_kv_table_role_profile --table-name panther-kv-store
    • GetItem will retrieve the specified value for the key '': aws dynamodb get-item --key '{"key": {"S": ""}}' --profile panther_kv_table_role_profile --table-name panther-kv-store

      Example Query for Okta.Login.GeographicallyImprobable keys (based on key gen logic in the Panther-managed rule):
aws dynamodb query \
     --table-name panther-kv-store \
     --profile panther_kv_table_role_profile \
     --key-condition-expression "begins_with(key, :k)" \
     --expression-attribute-values '{":k": {"S": "Okta.Login.GeographicallyImprobable"}}'
  • Was this article helpful?