Can Panther give me sample data to use in my account?

Last updated: September 3, 2024

QUESTION

Can I get access to sample data to test workflows in my Panther account?

ANSWER

Yes, Panther has sample data available for customers and trial users to use for testing.

Onboarding sample log data (Okta)

Panther has generated sample log data to allow users to test workflows without needing to onboard data from your actual environment. By completing the process below, you will have access to fake Okta logs in your environment to run detections and queries against.

Onboarding this data with the recommended Detection Packs enabled will guarantee that detection alerts will be generated.

Prerequisites

  • Ensure you have an available S3 Bucket in an AWS account you control.

    • We recommend using a bucket in the same region as your Panther account if possible.

  • Download the latest version of fake logs from Github - Do not upload these to the S3 bucket yet!

  • Configure an Alert Destination, such as Slack, before setting up fake logs.

    • This allows you to send alerts outside the Panther Console to test alert workflows. If you do not set up a destination, you will still be able to see alerts in the Panther Console.

Setting up sample Okta logs

After completing the prerequisites, follow the steps below:

  1. In the Panther Console, enable both the “Universal Detection Pack” and “Okta Detection Pack.”

  2. Onboard your S3 bucket in the Panther Console. Follow the linked documentation while referencing the following information:

    • We recommend giving your Source Name a unique identifier like okta-test-data. This will be important for filtering out test data from production data later on.

    • For the Stream Type, select the “Lines” option

    • Under S3 Prefixes & Schemas - Optional:

    1. Click ‘Add prefix(es) and/or schemas now’

    2. Click Add Schemas

    3. Choose Okta.SystemLog from the dropdown

      SCREEN~1.PNG

  3. Upload the fake data to your S3 bucket as a gzip file (no decompression needed).

Once the fake data has been uploaded to your S3 bucket, Panther will begin ingesting the logs. Alerts should appear in the Panther Console (and an external Alert Destination if one was set up) within a few minutes.

How to Query Sample Data

Once onboarded, you can query your sample data in the Data Explorer. You can access the Data Explorer in the Panther Console by navigating to Investigate > Data Explorer. Example queries are available in our documentation.

Filtering Out Sample Data

Panther accounts that are ingesting Okta logs from other sources, such as a production environment, may want to filter the sample data out of queries. The following command shows how to do that:

SELECT *
FROM panther_logs.public.okta_systemlog
WHERE p_source_label != ‘okta-test-data’
AND p_occurs_between('2022-10-19 00:00:00Z','2022-10-20 00:00:00Z')