Links

Query Builder (Beta)

Search normalized Panther data with minimal or no SQL

Overview

The Query Builder is in open beta as of 1.51. Please share any bug reports and feature requests with your account team.
The Query Builder allows you to conduct searches and investigations in your Panther data without extensive SQL knowledge, making it an efficient alternative to using the Data Explorer to perform common queries. You can save time, widen the audience using Panther, and develop professionally with helpful tools. The Query Builder complements the Data Explorer and your security data lake backend by generating SQL queries you can use elsewhere as well.

How to use Query Builder in Panther

Query Builder Considerations

When building a search with the Query Builder, consider the following:
  • You can only search one table at a time. If you need to search across multiple tables, we recommend using Indicator Search or Data Explorer instead.
  • When adding multiple filters, the operational logic is AND.
    • OR filters are not currently supported.
  • Query Builder searches cannot be saved or loaded. They can, however, be accessed from the Query History.

Step 1: Access the Query Builder

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar, click Investigate > Query Builder.
The Query Builder in Panther has selectors for date range, searching, and filters.

Step 2: Apply filters

Use the available filters to build a query:
  • Date and time range
    • By default, the time range is set to the last 24 hours.
  • Database and Table
    • Select your data source using these drop-down menus. By default, the Database is set to panther_logs.public which includes all log data stored in the Panther data lake. You can type in the field to search values.
  • Filter conditions
    • To add filter conditions, click Add New on the right side of the Filters tile.
    • Multiple filters are joined by an AND clause. Query Builder does not support OR conditions.
    • You can filter fields using a variety of operators for each data type. For a complete list of operators and functions, refer to Query Builder Filter Operators.
    • JSON Object paths:
      • To filter by JSON object paths instead of fields, click Enter Nested JSON Object Path and type or copy the path you want to filter.
      • Nested JSON Object filters are not data type specific. Pick the operator from the data type that matches the values in the object.
        • To revert to a field selection, click on Use Field List.
After you have added a date, database, table, and filters, use the Limit results to drop-down to limit how many records are returned when the search is executed. Limiting the query will return results faster.
Panther limits the size of results to 50 by default.
  • After you have defined the parameters of your query, click Search to execute.
When a query is being executed, you can click Cancel to cancel the search and start over.

Copy as SQL

Optionally, you can copy the defined search as SQL to use in Data Explorer or any other external application for further analysis.
  1. 1.
    At the bottom of the query, click Copy as SQL.
    • This will copy the SQL code to your clipboard. You can then paste the code into Data Explorer or any other external application for further analysis.
  2. 2.
    Paste the code into Data Explorer or other applications to analyze further.
SELECT
p_event_time as p_timeline,
*
FROM
panther_logs.public.aws_alb
WHERE
(type = 'https' AND clientPort = 45705) AND p_occurs_between('2023-01-16 20:22:56Z','2023-01-17 20:22:56.219Z')
ORDER by p_event_time ASC
LIMIT 50

Work with Query Builder results

Query Builder and Data Explorer share a common results table and all the associated functionality.
  • You can filter Query Builder results by following the instructions in the Data Explorer documentation under "Filter Data Explorer results."
  • You can summarize Query Builder results by following the instructions in the Data Explorer documentation under "Summarize Column Data."

Query Builder Examples

Show VPCFlow log activity for an IP address

During an investigation, often particular IP addresses are identified as being of interest (e.g., a known command and control node). Once the role of an IP address is identified, isolating and explaining that activity helps indicate which resources are likely to be compromised.
  1. 1.
    Select a date range.
  2. 2.
    Select the database and table (aws_vpcflow).
  3. 3.
    Add a filter to search data relating to a specific IP address.
    • Field: p_any_ip_addresses
    • Operator: has
    • Value: Enter the IP address.

Find all console "root" sign-ins in CloudTrail

The root account should seldom sign into the AWS console; find all such sign-ins using Query Builder.
  1. 1.
    Select a date range.
  2. 2.
    Select the database and table (aws_cloudtrail).
  3. 3.
    Add filters to search event types and user ARN relating to root sign-ins.
    • Filter 1:
      • Field: eventType
      • Operator: is
      • Value: AwsConsoleSignin
    • Filter 2:
      • Field: useridentity.arn
      • Operator: like
      • Value: root

Reference