Links

Data Analytics

Using Panther's Data Analytics to run queries and search your normalized log data

Overview

Panther's Data Analytics enable you to freely search collected and normalized log data using SQL in your security data lake. You can search quickly using common indicators or robustly using SQL.
As Panther ingests data, we parse, normalize and store that data in Snowflake, which is necessary for investigations, baselining behaviors, writing rules, and generating analytics on logs in the context of days, weeks, or months of data.

Getting started searching your data in Panther

Determining where to start

Indicator Search is the best place to start investigating if your search includes common indicators.
  • Indicator Search runs quick investigations on common Indicators of Compromise (IOCs) across all logs Panther monitors. Indicator Search removes the need to write SQL to answer common questions about suspicious activity and presents results in a simple visualization.
Data Explorer is the best place to start if you are investigating a more nuanced issue - for example, a search that will require joining tables together or would like to control what fields are returned by adding more clauses.
  • Data Explorer is where you can perform SQL queries (with autocompletion) to search across your data. You can also browse log data and rule matches, search standard fields across data, manage and schedule queries, select JSON rows to use as unit tests, share results with your team through a link, and download results in a CSV.
To see a video demonstrating Indicator Search, please see theIndicator Search overview video in the Indicator Search documentation.
  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the left sidebar, click Investigate > Indicator Search.
  3. 3.
    Enter your indicator(s) into the search field.
    • You can mix types of indicators (e.g., IP addresses, domain names, ARNs, file hashes). If you enter multiple indicators or indicator types, the search will execute with an OR condition - for example, indicator 1 OR indicator 2.
  4. 4.
    Select a time range.
    • The search will find all connected events associated with the indicators in the specified time range.
  5. 5.
    Click the magnifying glass icon to search.
Indicator Search includes features that allow you to quickly drill down into more granular view and pivot off an indicator.
You might start your investigation in Indicator Search and use the built-in options to open your search in Data Explorer, where you can modify a pre-populated SQL query.
For more information, see Indicator Search.

Starting with Data Explorer

If you started your investigation in Indicator Search, you can open a search in Data Explorer directly from your search results. Follow the instructions below if you are starting your search from Data Explorer.
  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar, click Investigate > Data Explorer.
  3. 3.
    Write a SQL query to search your data.
  4. 4.
    Click Run Query.
For more information, see Data Explorer.

Panther's Data Analytics features

In addition to Indicator Search and Data Explorer, Panther offers other features that allow you to quickly and efficiently search your data. Expand the boxes below to learn more.
Standard Fields
Saved and Scheduled Queries
Query History

Example Queries

Panther offers common use cases and example queries you may want to run while investigating suspicious activities in your logs:

Available Databases

To see a list of databases that are available for analyzing in Panther, please see Backend.

Troubleshooting Data Analytics

Visit the Panther Knowledge Base to view articles about analyzing data that answer frequently asked questions and help you resolve common errors and issues.