Can I view the data stored in the Panther KV cache?

Last updated
Save as PDF

QUESTION

Can I view the data stored in the key value (KV) cache used by my stateful detections in Panther?

ANSWER

Yes, you can view the data in your KV cache by following these steps:

Open a request with Panther Support to get access to the panther_kv_table_role IAM role in your Panther AWS account.
Once you've been provided with the role ARN, assume the role from inside the AWS Console or on the command line, by following the instructions below.

How to assume the IAM role

AWS Console

See "Switching to a role (console)" in the AWS documentation.

AWS CLI

See "Configuring and using a role" in the Using an IAM role in the AWS CLI documentation.

Add the following profile to your AWS config file:
[profile panther_kv_table_role_profile] role_arn = arn:aws:iam::198655972778:role/panther_kv_table_role credential_source = Environment
Run your AWS CLI command with --profile:
- Scan the whole table:
  aws dynamodb scan --profile panther_kv_table_role_profile --table-name panther-kv-store
- Query with Key Condition Expression where the key is 'me@example.com':aws dynamodb query --key-condition-expression "#key = :k" --expression-attribute-names "#key = key" --expression-attribute-values '{":k": {"S": "me@example.com"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store
- GetItem will retrieve the specified value for the key 'me@example.com': aws dynamodb get-item --key '{"key": {"S": "me@example.com"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store
  
  Example Query for Okta.Login.GeographicallyImprobable keys (based on key gen logic in the Panther-managed rule):

aws dynamodb query \
     --table-name panther-kv-store \
     --profile panther_kv_table_role_profile \
     --key-condition-expression "begins_with(key, :k)" \
     --expression-attribute-values '{":k": {"S": "Okta.Login.GeographicallyImprobable"}}'