Investigations & Search
Using Panther's search tools to run queries and search your normalized log data
Overview
Panther's data analysis tools enable you to search normalized log data, signals, and more, in your security data lake. You can search across logs (and without SQL) using Search, or investigate robustly using SQL in Data Explorer.
As data is ingested into Panther, it is parsed and normalized, then stored in Snowflake. This is necessary for conducting investigations on historical data, as well as for writing rules, identifying baseline and anomalous behaviors, and generating analytics.
When determining which tool to use to search your data in Panther:
Panther AI is useful if you'd like to use natural language to search your data instead of SQL or PantherFlow.
Search is a good place to start if you have limited SQL knowledge, as it allows you to construct a query without SQL syntax. You can also execute PantherFlow in Search (and use Panther AI to generate PantherFlow queries).
Data Explorer is the best place to start if you're conducting a complex or highly customized search—for example, you'd like to join database tables or control which fields are returned by adding additional clauses.
Not sure where to start an investigation after receiving an alert in Panther? See Threat Hunting in Panther for inspiration.
Matches on rules (i.e., signals) are also stored in the data lake, as well as cloud security scanning data and rule errors.
Tools for data search and analysis in Panther
Panther AI
With Panther AI, you can use natural language to query your data lake.
See instructions in AI-powered PantherFlow query generation.
Search
In Search, you can construct a data query using low-code filter chips or PantherFlow. Search is a good tool to use if you prefer using domain-specific query languages and/or low-code workflows to writing SQL.
Learn how to start investigating on Search.
Data Explorer
In Data Explorer, you can write and execute SQL queries to search across your data. You can also save and schedule searches, create templated searches for reuse, and more.
Get started with the Data Explorer documentation.
GraphQL API
You can execute queries against your data lake via the Panther GraphQL API.
See example queries on Data Lake Queries.
Panther's investigation and search features
In addition to Search and Data Explorer, Panther offers other features that allow you to quickly and efficiently search your data. Expand the boxes below to learn more.
Standard Fields
Panther's log analysis applies normalization fields (IPs, domains, etc) to all log records. These fields standardize names for attributes across all data sources enabling fast and easy data correlation. For more information, see Standard Fields.
Visualization and dashboards
In the Panther Console, create your own custom dashboards and/or use various Panther-managed visualizations. Learn more on Visualization and Dashboards.
Saved and Scheduled Searches
With Saved Searches, you can save, reuse, update, and delete searches you've created in Search, Data Explorer, or the CLI workflow. This means you don't need to rewrite or rebuild a query each time you want to run it.
Panther's Scheduled Searches are Saved Searches that have been configured to run on a schedule. They can be associated to Scheduled Rules, which allow you to use the data returned from the search as event input to the rule, as opposed to real-time "streaming" data. As a Scheduled Search runs, if a corresponding Scheduled Rule generates any matches, a signal (and optionally alert) will be created.
For more information, see Saved and Scheduled Searches.
Search History
The Search History page in the Panther Console displays the last 30 days of searches run in the Console. Clicking on the search name will direct you to Search or Data Explorer where you can see the results and rerun the search. You can also cancel a running search. For more information, see Search History.
Example searches
Panther offers common use cases and example searches you may want to run while investigating suspicious activities in your logs:
Available databases
For a list of databases that are available for analysis in Panther, see Data Lakes.
Troubleshooting Panther's search tools
Visit the Panther Knowledge Base to view articles about analyzing data that answer frequently asked questions and help you resolve common errors and issues.
Last updated
Was this helpful?