Querying and Writing Detections for Panther Audit Logs
Monitor your Panther audit logs
Overview
You can enable Panther audit log ingestion into Panther, meaning you can then interact with Panther audit logs in detections, data lake queries, and more.
Querying the Data Lake for Panther audit logs
Audit logs can be found in the data lake under panther_logs.panther_audit
. The following query, executed in Search or Data Explorer, shows all audit events within the last day:
SELECT * FROM panther_logs.panther_audit WHERE p_occurs_since('1 day');
The result of this query would include several audit logs, an example of which can be seen below:
{
"XForwardedFor": [
"72.72.72.72",
"130.172.130.172"
],
"actionDescription": "Lists the details of all available data lake databases",
"actionName": "LIST_DATA_LAKE_DATABASES",
"actionParams": {},
"actionResult": "SUCCEEDED",
"actor": {
"attributes": {
"email": "[email protected]",
"emailVerified": false,
"roleId": ""
},
"id": "[email protected]",
"name": "[email protected]",
"type": "USER"
},
"errors": null,
"p_any_ip_addresses": [
"72.72.72.72",
"130.172.130.172"
],
"p_any_trace_ids": [
"[email protected]"
],
"p_any_usernames": [
"[email protected]"
],
"p_event_time": "2022-04-22 15:39:55.358",
"p_log_type": "Panther.Audit",
"p_parse_time": "2022-04-22 15:41:36.276",
"p_row_id": "asdfdjklasdfjklasdfjlk",
"p_source_id": "abc12345-ab12-cd12-ef12-abc1234567890",
"p_source_label": "panther-audit-logs-us-east-1",
"pantherVersion": "1.34.0",
"sourceIP": "72.72.72.72",
"timestamp": "2022-04-22 15:39:55.358",
"userAgent": ""
}
Writing a detection for Panther audit logs
Audit logs can be leveraged to write powerful detections for generating alerts when an unusual or important action has been taken within Panther.
Let's write a detection that alerts when a detection has been deleted.
Step 1: Begin creating the detection
In the left-hand navigation bar of your Panther Console, click Detections.
On the Detections page, click Create New.
In the Select Detection Type modal, click Rule.
Enter a descriptive Name for your rule, e.g.,
Panther detection deleted
.Under For the Following Source, in the Log Types dropdown, select
Panther.Audit
.In the Detect tile, click Python Editor.
In the code editor, enter the following Python code, which will generate an alert when a detection is deleted:
def rule(event): return event.get('actionName') == 'DELETE_DETECTION' def title(event): return 'Detection deleted!'
This code defines a simple title using the
title()
function. Learn how to create a more descriptive title below, in Creating a descriptive alert title.
In the Create Alert tile, under Required Fields, select a Severity.
Scroll down to the Test tile, and click Add New.
Continue in Step 2: Create a test for the detection.
Step 2: Create a test for the detection
In Step 1, you defined your detection and clicked Add New under Test to begin the process of testing.
Below, you will generate test data for the action you wrote a detection for. In the example, we defined a detection to check for the action of deleting a detection in the Panther Console.
In a separate browser tab, open your Panther Console. Perform the action you wrote a detection for to generate a test audit log.
In the example above, we defined a detection to check for the action of deleting a detection in the Panther Console. For this example, you would follow these steps:
Navigate to Build > Detections.
Create a test detection.
After successfully creating the detection, delete it.
In the left sidebar, click Investigate > Data Explorer.
Execute a query to find the audit log for the action you are testing against.
Based on our example, we will use the following query to check for the recently deleted detection:
SELECT * FROM panther_logs.panther_audit WHERE actionName = 'DELETE_DETECTION' ORDER BY timestamp DESC LIMIT 1;
If no results are returned, wait a few minutes and retry.
Copy the JSON object in the Data Explorer results representing this log. Navigate back to the detection you defined, then paste the JSON object into the Test text editor.
Leave the The detection should trigger based on the example event toggle set to
YES
.Click Run Test.
Verify that the detection runs as expected and the alert title appears as expected.
In the upper-right corner of the page, click Deploy.
Creating a descriptive alert title
In the example above, we used a simple alert title:
def title(event):
return 'Detection deleted!'
You can construct a more descriptive alert title using the values found in the actionParams
field within the audit log:
def title(event):
deleted_detection_id = event.get('actionParams').get('input').get('detections')[0].get('id')
actor_type = event.get('actor').get('type').lower()
actor_readable_id = event.get('actor').get('name') if event.get('actor').get('name') else event.get('actor').get('id')
return f"Detection '{deleted_detection_id}' deleted by {actor_type} {actor_readable_id}!"
See the log schema for more information on the audit log fields.
Last updated
Was this helpful?