QUESTION

Can I view the data stored in the key value (KV) cache used by my stateful detections in Panther?

ANSWER

Yes, you can view the data in your KV cache by following these steps:

  1. Open a request with Panther Support to get access to the panther_kv_table_role IAM role in your Panther AWS account.

  2. Once you've been provided with the role ARN, assume the role from inside the AWS Console or on the command line, by following the instructions below.

How to assume the IAM role
AWS Console

See "Switching to a role (console)" in the AWS documentation.

AWS CLI

See "Configuring and using a role" in the Using an IAM role in the AWS CLI documentation.

  1. Add the following profile to your AWS config file:
    [profile panther_kv_table_role_profile]
    role_arn = arn:aws:iam::198655972778:role/panther_kv_table_role
    credential_source = Environment

  2. Run your AWS CLI command with --profile:

    • Scan the whole table:
      aws dynamodb scan --profile panther_kv_table_role_profile --table-name panther-kv-store

    • Query with Key Condition Expression where the key is '[email protected]':aws dynamodb query --key-condition-expression "#key = :k" --expression-attribute-names "#key = key" --expression-attribute-values '{":k": {"S": "[email protected]"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store

    • GetItem will retrieve the specified value for the key '[email protected]': aws dynamodb get-item --key '{"key": {"S": "[email protected]"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store

Example Query for Okta.Login.GeographicallyImprobable keys (based on key gen logic in the Panther-managed rule):

aws dynamodb query \
     --table-name panther-kv-store \
     --profile panther_kv_table_role_profile \
     --key-condition-expression "begins_with(key, :k)" \
     --expression-attribute-values '{":k": {"S": "Okta.Login.GeographicallyImprobable"}}'