QUESTION

Can I query the alert_context of a given alert, using the alert ID and the Panther API?

ANSWER

Currently, Panther does not support querying the alert_context directly. If you are interested in support of this feature, please contact Panther Support to put in a request.

In the meantime, you can query alert_context via the API using a data lake query

We store alert context in the panther_rule_matches database, so you can use a request like this:

# IssueDataLakeQuery is a nickname for the operation
mutation IssueDataLakeQuery {
  executeDataLakeQuery(input: {
    sql: "select * from panther_rule_matches.public.aws_alb limit 50"
  }) {
     id # the unique ID of the query
  }
}

To make the SQL to run more efficiently, you can specify a constraint on the p_event_time, e.g. from createdAt to lastReceivedEventAt. However, event time is usually different from alert time due to latency, so to make sure you get all the alert info you want, we recommend opening up the constraints, with something like createdAt - 1 hour to lastReceivedEventAt.

To test the speed of this data lake query, and use that to estimate the performance of the overall API operation, you can run the SQL from the query described above in Panther's Data Explorer.

For more information about querying information about alerts via the API, see our guides here: