Links

Indicator Search

Use Indicator Search in Panther to run investigations on common indicators across data sources

Overview

Use Indicator Search to run quick investigations on common indicators across various data sources. Indicator Search removes the need to write SQL to answer common questions about suspicious activity and presents results in a simple visualization.
Access to the Indicator Search can be limited through the Role-Based Access Control system.

Indicator Search overview video

Indicator Search overview
  1. 1.
    Log into the Panther Console and click Investigate > Indicator Search.
  2. 2.
    Copy and paste indicator(s) into the search field.
    • The search will find all connected events associated with the indicators in the specified time range.
    • You can mix types of indicators (e.g., IP addresses, domain names, ARNs, file hashes). If you enter multiple indicators or indicator types, the search will execute with an OR condition - for example, indicator 1 OR indicator 2.
  3. 3.
    Select a time range.
  4. 4.
    Click the magnifying glass icon to search.
    The image shows the full results page after performing an Indicator Search.
A timeline histogram shows the concentration of events over the specified time interval.
You can drill down into specific events by pivoting into the Data Explorer with prebuilt SQL queries. Find additional indicators in the Data Explorer and perform another search to gain additional context about the attack.
Continue to pivot through your data to map the entire attacker footprint.

Drill Down

You can use the Indicator Search timeline histogram to switch from a more general view of the results to a more specific view. This makes it easy to instantly shift from an overview of events to a more detailed and granular view within the same dataset.
A typical workflow looks like the following:
  1. 1.
    Search for an indicator.
  2. 2.
    Click on any of the histogram bars to search for events on a specific period.
    The image shows the Indicator Search results page. An arrow points at a bar in a histogram chart, and the time range of the result is circled by a dashed line.
  3. 3.
    After clicking on the histogram bar, a new Indicator Search tab will open containing detailed results for the time period you selected. Click on the histogram bars in each new tab to continue drilling down.
    The image shows three separate screens where each subsequent search drills down further into the data.
  4. 4.
    To explorer the query further in Data Explorer, click the share icon in any of the "Total Hits" tiles below the histogram chart, or scroll down below the histogram chart and click Open in Data Explorer.
    • The page will open with a prepopulated SQL query.
      The image shows Data Explorer with a SQL query in the New Query code box.

Pivoting

Indicator Search can also be accessed via the "Events" tab of an alert details page. This makes it easy to quickly pivot off a value in an event.
To access Indicator Search from the JSON view of an alert details page:
  1. 1.
    Hover over any field value in the JSON and click the search icon that appears:
    The image shows a magnifying glass icon circled next to an indicator.
  2. 2.
    Select the date range you would like to search against:
    The image shows a date range selected, and a blue search button next to the date range fields. The screen displays a message that says "Nothing searched yet."
  3. 3.
    The search will return hits of that value across different log types. You can investigate these events further by clicking on the tile, which will redirect you to the Data Explorer section in your Panther account.