QUESTION

How can I retrieve the full events associated with my Panther alert?

ANSWER

There are multiple ways to retrieve the fulls event associated with your Panther alert, such as using the Data Explorer or the Panther API to execute a SQL query.

In the example below, we will use the Panther API in the API Playground to query the alert event.

Prerequisite
Step 1: Run IssueDataLakeQuery() using the alert ID

Learn more about the IssueDataLakeQuery mutation in the Panther API documentation for Data Lake Queries.

# IssueDataLakeQuery is a nickname for the operation
mutation IssueDataLakeQuery {
  executeDataLakeQuery(input: {
    sql: "SELECT p_event_time as p_timeline, * FROM panther_rule_errors.public.aws_cloudtrail WHERE p_alert_id = 'YOUR_ALERT_ID_HERE' ORDER by p_event_time ASC LIMIT 100"
  }) {
     id # the unique ID of the query
  }
}  

Kindly note that the table name that was used in the query above (panther_rule_errors.public.aws_cloudtrail) is an example. For your specific case, you'll have to use the log type that appears in your Panther alert and take into consideration the alert type (rule matches or rule errors for example) to craft the table name.

Step 2: Run QueryResults() using the query ID outputted from the previous step

Learn more about the QueryResults query in the Panther API documentation for Data Lake Queries.

# QueryResults is a nickname for the operation
query QueryResults {
  dataLakeQuery(id: "YOUR_QUERY_ID_HERE") { # the unique ID of the query
    message
    status
    results {
      edges {
        node
      }
    }
  }
}

You can also see how to run data lake queries in NodeJS or Python programs in these end-to-end examples.