Data Explorer SQL Search Examples

Overview

These examples demonstrate how to use Data Explorer in the Panther Console to investigate and answer questions using the data within your Security Data Lake.

For examples on syntax and correct use of statements for Snowflake environments, please see the Snowflake documentation: SQL Command Reference and Querying semi-structured data.

The examples on this page apply to all log types, while the sub-pages contain examples that apply to specific log types:

• VPC Flow logs

• CloudTrail logs

• GuardDuty logs

• S3 Access logs

• NGINX and ALB Access logs

• GitHub Audit logs

Considerations

All queries should control the result size. This can be done with a LIMIT or GROUP BY clause.

Did this IP address have any activity in my network (and in what logs)?

This is often one of the first questions asked in an investigation. Given there is some known bad indicator such as an IP address, then if there is related activity in your network/systems, a detailed investigation will be needed.

Snowflake's contains method can be a partial match for the data, and Snowflake's array_contains method requires an exact match for the data in question.

In the example below, the Panther field p_any_ip_addresses is used. Panther extracts a number of common indicator fields over all data sources into standard fields (see Panther Fields).

What are the top 10 IPs by row count over all logs?

Ranking activity (top or bottom) is a useful technique to gain visibility into a network. High ranking activity might help locate IP addresses involved in a DDOS attack while low ranking (change ORDER BY to ASC) might highlight sneaky activity.

What are the top 10 IPs by log type over all logs?

This is a variant of the above query where we are ranking the IPs by how many data sources they show activity. This shows the degree of "reach" the IP address has over all your systems.