Querying and Writing Detections for Panther Audit Logs

Overview

You can , meaning you can then interact with Panther audit logs in detections, data lake queries, and more.

Querying the Data Lake for Panther audit logs

Audit logs can be found in the data lake under panther_logs.panther_audit. The following query, executed in or , shows all audit events within the last day:

SELECT * FROM panther_logs.panther_audit WHERE p_occurs_since('1 day');

The result of this query would include several audit logs, an example of which can be seen below:

{
	"XForwardedFor": [
		"72.72.72.72",
		"130.172.130.172"
	],
	"actionDescription": "Lists the details of all available data lake databases",
	"actionName": "LIST_DATA_LAKE_DATABASES",
	"actionParams": {},
	"actionResult": "SUCCEEDED",
	"actor": {
		"attributes": {
			"email": "foo.user@acmecorp.io",
			"emailVerified": false,
			"roleId": ""
		},
		"id": "AcmecorpSSO_foo.user@acmecorp.io",
		"name": "foo.user@acmecorp.io",
		"type": "USER"
	},
	"errors": null,
	"p_any_ip_addresses": [
		"72.72.72.72",
		"130.172.130.172"
	],
	"p_any_trace_ids": [
		"AcmecorpSSO_foo.user@acmecorp.io"
	],
	"p_any_usernames": [
		"foo.user@acmecorp.io"
	],
	"p_event_time": "2022-04-22 15:39:55.358",
	"p_log_type": "Panther.Audit",
	"p_parse_time": "2022-04-22 15:41:36.276",
	"p_row_id": "asdfdjklasdfjklasdfjlk",
	"p_source_id": "abc12345-ab12-cd12-ef12-abc1234567890",
	"p_source_label": "panther-audit-logs-us-east-1",
	"pantherVersion": "1.34.0",
	"sourceIP": "72.72.72.72",
	"timestamp": "2022-04-22 15:39:55.358",
	"userAgent": ""
}

Writing a detection for Panther audit logs

Audit logs can be leveraged to write powerful detections for generating alerts when an unusual or important action has been taken within Panther.

Let's write a detection that alerts when a detection has been deleted.

Step 1: Begin creating the detection

1. In the left-hand navigation bar of your Panther Console, click Detections.

2. On the Detections page, click Create New.

3. In the Select Detection Type modal, click Rule.

4. Enter a descriptive Name for your rule, e.g., Panther detection deleted.

6. In the Detect tile, click Python Editor.

7. In the code editor, enter the following Python code, which will generate an alert when a detection is deleted:

   Copy

   def rule(event):    
       return event.get('actionName') == 'DELETE_DETECTION'
   def title(event):
       return 'Detection deleted!'
8. In the Create Alert tile, under Required Fields, select a Severity.

9. Scroll down to the Test tile, and click Add New.

Step 2: Create a test for the detection

In Step 1, you defined your detection and clicked Add New under Test to begin the process of testing.

Below, you will generate test data for the action you wrote a detection for. In the example, we defined a detection to check for the action of deleting a detection in the Panther Console.

1. In a separate browser tab, open your Panther Console. Perform the action you wrote a detection for to generate a test audit log.

   • In the example above, we defined a detection to check for the action of deleting a detection in the Panther Console. For this example, you would follow these steps:

     1. Navigate to Build > Detections.

     2. Create a test detection.

     3. After successfully creating the detection, delete it.

2. In the left sidebar, click Investigate > Data Explorer.

3. Execute a query to find the audit log for the action you are testing against.

   • Based on our example, we will use the following query to check for the recently deleted detection:

     Copy

     SELECT * FROM panther_logs.panther_audit WHERE actionName = 'DELETE_DETECTION'
     ORDER BY timestamp DESC
     LIMIT 1;

   • If no results are returned, wait a few minutes and retry.

4. Copy the JSON object in the Data Explorer results representing this log. Navigate back to the detection you defined, then paste the JSON object into the Test text editor.

5. Leave the The detection should trigger based on the example event toggle set to YES.

6. Click Run Test.
7. In the upper-right corner of the page, click Deploy.

Creating a descriptive alert title

In the example above, we used a simple alert title:

def title(event):
    return 'Detection deleted!'

You can construct a more descriptive alert title using the values found in the actionParams field within the audit log:

def title(event):
    deleted_detection_id = event.get('actionParams').get('input').get('detections')[0].get('id')
    actor_type = event.get('actor').get('type').lower()
    actor_readable_id = event.get('actor').get('name') if event.get('actor').get('name') else event.get('actor').get('id')
    return f"Detection '{deleted_detection_id}' deleted by {actor_type} {actor_readable_id}!"