Can I view the data stored in the key value (KV) cache used by my stateful detections in Panther?
Yes, you can view the data in your KV cache by following these steps:
Open a request with Panther Support to get access to the panther_kv_table_role
IAM role in your Panther AWS account.
Once you've been provided with the role ARN, assume the role from inside the AWS Console or on the command line, by following the instructions below.
See "Switching to a role (console)" in the AWS documentation.
See "Configuring and using a role" in the Using an IAM role in the AWS CLI documentation.
Add the following profile to your AWS config file:[profile panther_kv_table_role_profile]
role_arn = arn:aws:iam::198655972778:role/panther_kv_table_role
credential_source = Environment
Run your AWS CLI command with --profile
:
Scan the whole table:aws dynamodb scan --profile panther_kv_table_role_profile --table-name panther-kv-store
Query with Key Condition Expression where the key is '[email protected]':aws dynamodb query --key-condition-expression "#key = :k" --expression-attribute-names "#key = key" --expression-attribute-values '{":k": {"S": "[email protected]"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store
GetItem
will retrieve the specified value for the key '[email protected]': aws dynamodb get-item --key '{"key": {"S": "[email protected]"}}' --profile panther_kv_table_role_profile --table-name panther-kv-store
Example Query for Okta.Login.GeographicallyImprobable keys (based on key gen logic in the Panther-managed rule):
aws dynamodb query \
--table-name panther-kv-store \
--profile panther_kv_table_role_profile \
--key-condition-expression "begins_with(key, :k)" \
--expression-attribute-values '{":k": {"S": "Okta.Login.GeographicallyImprobable"}}'