Search

Construct a data query without writing SQL

Overview

OR filter functionality, filter grouping, and IoC searching are in open beta starting with Panther version 1.97, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

In the Search tool in Panther, you can search across all of your data—including log events, rule matches, and more—without writing SQL. Use dropdown fields to create filter expressions, and group them using AND and OR functionality.

Filter expressions can be constructed in different ways: as key/value pairs, a free text search, or a regular expression search. Each of these can also use wildcard characters. You can combine different types of filter expressions in one search.

When a search is run, a results table is displayed below a histogram visualizing the distribution of result events over time. The results table is customizable—you can add or remove event fields as columns. Also from the results table, you can add inclusive/exclusive filters to your search, pivot, and look up related enrichment data. You can collaborate with your team by downloading the results table, or sharing a link to your specific search in Panther.

Search is only available to customers with a Snowflake data lake. It is not available to Panther instances with an Athena data lake.

How to use Search

You can effectively search your data using a combination of filters. Start by making selections in the database, table, and date range filters—then create your own filter expressions.

Using database, table, and date range filters

Use the database, table, and date range filters to narrow the scope of your search. Using these controls is optional, but can significantly improve search performance when searching over large data sets. Learn more about each of these filters below.

Database filter

Use the database filter to narrow your search to certain databases, such as only Logs or Rule Matches.

The default value of this filter is Logs. The options contained in the database filter are:

Rule Matches
Logs
Lookups
Monitor
Cloud Security
Rule Errors

Table filter

Use the table filter to narrow your search to certain tables, within the databases indicated by the database filter.

The default value of this filter is All tables, which includes all tables for each included database. You can narrow the search by selecting only certain tables in this dropdown.

Date range filter

Use the date range filter to narrow your search to a certain period of time.

The default value of this filter is Last 20 mins. You can use the date range picker to set a custom date and time range, or select one of the preset relative options on the left-hand side.

Creating filter expressions

A filter expression is a clause containing your key/value search logic, free search terms, or match patterns. To create filter expressions, click the Add search filter bar or use the command + / keyboard shortcut.

Key/value filter expression

With a key/value filter expression, you will select an event key and provide a value (if necessary).

To create a key/value filter expression:

Click the Add search filter bar, or press command+/.
Select an event key from the dropdown list. The dropdown menu contains options grouped into the following categories:
- Panther Fields: Includes Indicator Fields (also known as p_any fields), and Core Fields (p_udm fields), which are useful when searching across log types.
- Multiple tables: Fields that are found in more than one log type.
- All remaining tables with a matching field(s) are displayed in alphabetical order.
Select an operator (also known as a condition) from the dropdown menu.
- The dropdown options will be limited to those applicable to the selected field's data type.
- See a full list of available operators on Search Filter Operators.
Enter a value, if the selected operator requires one.
- Learn more about using the wildcard character below.
If you would like to create another filter expression:
- To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
- To create an OR filter, click + Add OR Condition.
When you are ready to execute your search, click Search or press ENTER.
- If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.

You can also quickly create key/value filter expressions from the results set of an initial search.

Free text filter expression

In a free text filter expression, you will enter a string.

Free text filter expressions search every field in every event (within the database, table, and date constraints), including fields nested in complex objects.

To increase search performance, select a subset of tables to search.

To create a free text filter expression:

Click the Add search filter bar, or press command+/.
Enter the text value.
- Learn more about using the wildcard character below.
If you would like to create another filter expression:
- To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
- To create an OR filter, click + Add OR Condition.
When you are ready to execute your search, click Search or press ENTER.
- If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.

Regular expression (regex) filter expression

Using regex in Search can be powerful for dynamic text-based searches across logs. Search supports POSIX-extended regular expressions.

To create a regex filter expression:

Click the Add search filter bar, or press command+/.
Press command+/ to enter into regex mode.
- To exit regex mode, you can press command+/ again.
Enter the regular expression you wish to search, e.g., .*aws:.*admin.*.
- Learn more about using the wildcard character below.
If you would like to create another filter expression:
- To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
- To create an OR filter, click + Add OR Condition.
When you are ready to execute your search, click Search or press ENTER.
- If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.

Using wildcards in filter expressions

The wildcard character (*) may be used as a placeholder at the beginning, middle, or end of a string or expression. The wildcard character may be used within a key/value filter expression (only where the key has type: string and the operator is LIKE), free text filter expression, or regex filter expression.

The position of the wildcard character determines which data is returned as a match:

Beginning: Any character(s) at or preceding the * are considered a match.
Middle: Any character(s) at the * are considered a match.
End: Any character(s) at or following the * are considered a match.

Searching Indicators of Compromise

When responding to a public breach disclosure or threat hunting generally, you may need to quickly find out whether any values in a list of Indicators of Compromise (IoCs) are found across any of your organization's event logs.

To search IoCs in Search:

Make database, table, and date range filter selections.
Click the Add search filter bar, or press command+/.
Type or paste in the indicator or list of indicators.
From the dropdown options that appear, select the (auto-detect) option.
- Search parses the inputted string where there are spaces, commas, and semicolons—then detects whether each value matches a Panther Indictor Field. For each detected indicator field, Search creates a key/value filter expression. Other values remain as free text expressions.
- Each filter expression is joined by an OR.
Click Search or press ENTER.

Video walkthrough

Creating a Saved Search

Creating a Saved Search means you can quickly reuse commonly run searches. Learn more on Saved and Scheduled Searches.

To create a Saved Search:

Create a search by following the instructions in How to use Search.
Under the Add search filter box, click Save As.
Enter values for the fields in the popup modal:
- Search Name: Add a descriptive name.
- Tags (optional): Add tags. Tags can be helpful to group related searches.
- Description (optional): Describe the purpose of the search.
Click Save Search.
- See the next section to learn how to open and reuse Saved Searches.

Open and reuse a Saved Search in the Search tool

After creating a Saved Search in the Search tool, you can view and reuse it. It can be opened from the Search page, or from the Saved Searches page.

Open a Saved Search from the Search page:

In the left-hand navigation bar of your Panther Console, click Investigate > Search.
In the upper right corner, click the three dots icon, then Open Saved Search.
- An Open a Search modal will pop up, displaying previously saved search.
Find the search you'd like to open, select it, then click Open Search.
- The Saved Search will populate in Search.

Analyzing Search results

The results of a Search contain a histogram, a table of result events, and summary visualizations.

Search results histogram

The results histogram displays the distribution of events within the search's date and time window, to help quickly contextualize results. To zoom in or out of a particular segment of time, click and drag the ends of the bar beneath the histogram.

Interacting with the histogram

To see additional data insights into the counts by log type for any of the time periods, hover over a bar within the chart.

To create a new search (in a new browser tab) with a time period set to that of one of the histogram bars, click the bar.

Adding, removing, and reordering fields in the results table

You can customize a search's results table by adding, removing, and reordering columns.

You can also create a new filter directly from the results table, replace filter expressions with a results table value, and explore enrichment data for a results table value.

How to add a column in the Search results table

You can add a column to the Search results table using the Available Fields list on the left-hand side of the table, or from the JSON event view.

It is only possible to add nested fields to the table from the JSON event view.

Add a column to the Search results table from the Available Fields list

In the field list on the left-hand side of the results table, within the Available Fields header, locate the column you'd like to add to the results table.
- Only top-level fields are shown in this list. If you'd like to add a nested field to the table, you can do so from the JSON event view.
To the right of the field, click + (the plus symbol).
- The field will be added as a column in the results table, and listed on the left-hand side of the table within Selected Fields.

How to remove a column in the Search results table

You can remove a column from the Search results table using the Selected Fields list on the left-hand side of the table, from the JSON event view, or from the table header row.

Remove a column from the Search results table from the Selected Fields list

In the field list on the left-hand side of the results table, within the Selected Fields header, locate the field you'd like to remove from the results table.
To the right of the field, click - (the minus symbol).
- The field's column will be removed from the results table, and listed on the left-hand side of the table within Available Fields.

How to reorder columns in the Search results table

Reorder the columns in the results table by clicking on a column header and dragging it to the desired position.

Search results summary charts

Within the results of a Search, the Summary tab displays bar charts for field values, which can help provide quick insights into your data. To view these charts, click Summary.

You can also create a filter directly from a summary chart, replace filters with a value from a summary chart, and explore enrichment data for a summary chart value.

How to add or remove summary charts

Add or remove visualizations for event fields using the Available Fields and Selected Fields lists on the left-hand side of the results panel. Adding or removing a field shows or hides the field both as a chart and as a column in the results table.

To add a visualization:

Within the Available Fields list, to the right of a field's name, click +.

To remove a visualization:

Within the Selected Fields list, to the right of a field's name, click –.

How to set the sort order of a chart

To sort results in ascending order (lowest to highest):

In the upper-right corner of a visualization, click the icon with an arrow pointing downward:

To sort results in descending order (highest to lowest):

In the upper-right corner of a visualization, click the icon with an arrow pointing upward:

How to expand or condense the number of values shown in a chart

To view the first 20 values in a visualization, in its lower-right corner, click Show More. To view only the first five values in a visualization, in its lower-right corner, click Show Less.

Iterating on a Search

Directly from the search results table, JSON event view, and summary charts, you can create inclusive/exclusive filters, replace filter expressions with a results value, and explore enrichment data.

How to create an inclusive or exclusive filter expression from results

How to create a filter expression from the results table

The same ability to create include or exclude filters is available from within the JSON event view, when hovering over a field.

In the results table, hover over the value you'd like to create an inclusive or exclusive filter expression for.
- To create an inclusive filter, click .
- To create an exclusive filter, click .
View the new filter expression in the search bar at the top of the window.
To refresh the search results, click Search.

How to replace filter expressions with a value from results

How to replace filter expressions with a value from the results table

In the results table, locate the event row of interest, and click it.
- The JSON event slide-out panel will be shown.
In the JSON event slide-out panel, hover over the field on which you'd like to pivot.
Click the replace icon .
- All existing filters are replaced with a filter expression representing only the key/value you pivoted on.
To refresh the search results, click Search.

How to explore enrichment data for a value from results

How to explore enrichment data for a value from the results table

In the results table, locate the event row of interest, and click it.
- The JSON event slide-out panel will be shown.
In the JSON event slide-out panel, hover over the value you'd like to explore enrichment data for.
Click the enrichment icon .
In the Lookup Enrichment pop-up modal, use the LOOKUP TABLE column to locate the row of the enrichment source you would like to explore, then click View JSON→.
- The enrichment entry will be shown.

How to explore enrichment data for a value from a summary chart

Within a summary chart, hover over a value for which you would like to explore enrichment data.
Click the enrichment icon .
In the Lookup Enrichment pop-up modal, use the LOOKUP TABLE column to locate the row of the enrichment source you would like to explore, then click View JSON→.
- The enrichment entry will be shown.

While investigating or threat hunting, it may be useful to share a Search or a results set with your team. To do this:

In the upper-right corner of the results table, click Share:
Select one of the menu options:
- Copy link to view: Copies a URL to this specific Search to your clipboard.
- Download CSV: Downloads a CSV of the results table.
  - Note that the downloaded CSV file contains only the first 1,000 results. To download the full results set, use Data Explorer. (You can click Copy as SQL in Search to quickly recreate it in Data Explorer.)