Can I view the data stored in the Panther KV cache?
QUESTION
Can I view the data stored in the key value (KV) cache used by my stateful detections in Panther?
ANSWER
Yes, you can view the data in your KV cache by following these steps:
- Open a request with Panther Support to get access to the
panther_kv_table_role
IAM role in your Panther AWS account. - Once you've been provided with the role ARN, assume the role from inside the AWS Console or on the command line, by following the instructions below.
How to assume the IAM role
AWS Console
See "Switching to a role (console)" in the AWS documentation.
AWS CLI
See "Configuring and using a role" in the Using an IAM role in the AWS CLI documentation.
-
Add the following profile to your AWS config file:
[profile panther_kv_table_role_profile]
role_arn = arn:aws:iam::198655972778:role/panther_kv_table_role
credential_source = Environment - Run your AWS CLI command with
--profile
:- Scan the whole table:
aws dynamodb scan --profile panther_kv_table_role_profile --table-name panther-kv-store
- Query with Key Condition Expression where the key is 'me@example.com':
aws dynamodb query --key-condition-expression "#key = :k" --expression-attribute-names "#key = key" --expression-attribute-values '{":k": {"S": "me@example.com"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store
GetItem
will retrieve the specified value for the key 'me@example.com':aws dynamodb get-item --key '{"key": {"S": "me@example.com"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store
Example Query for Okta.Login.GeographicallyImprobable keys (based on key gen logic in the Panther-managed rule):
- Scan the whole table:
aws dynamodb query \ --table-name panther-kv-store \ --profile panther_kv_table_role_profile \ --key-condition-expression "begins_with(key, :k)" \ --expression-attribute-values '{":k": {"S": "Okta.Login.GeographicallyImprobable"}}'