Investigations & Search

Using Panther's search tools to run queries and search your normalized log data

Overview

Panther's data analysis tools enable you to search collected and normalized log data in your security data lake. You can search across logs (and without SQL) using Search, or investigate robustly using SQL in Data Explorer.

As data is ingested into Panther, it is parsed and normalized, then stored in Snowflake. This is necessary for conducting investigations on historical data, as well as for writing rules, identifying baseline behaviors, and generating analytics.

Getting started searching your data in Panther

Determine where to start investigating

Your team has received an alert and it's time to investigate—but where should you start?

Search is a good place to start if you have limited SQL knowledge, as it allows you to construct a query without SQL syntax. After creating your search, you're able to copy the SQL command generated for analysis in Data Explorer or external applications.
Data Explorer is the best place to start if you're conducting a complex or highly customized search—for example, you'd like to join database tables or control which fields are returned by adding additional clauses.

Starting with Search

In Search, you can construct a data query using filters instead of SQL syntax. You'll be prompted to choose from dropdown selector fields to indicate which table you'd like to examine—from there, you can add filters to narrow your search to only, say, results where field_xyz is some_specific_value.

Find out how to build your first search in the Search documentation.

Starting with Data Explorer

In Data Explorer, you can write and execute SQL queries (with autocompletion) to search across your data, including log data, signals, and Panther's Standard Fields. You can also save and schedule searches, create templated searches for reuse, retrieve JSON rows to use as unit test events, download results in a CSV, and share the query and results with your team using a unique URL.

Use Data Explorer by navigating to its page in the Console directly, or by starting in Search, where you can copy the SQL generated from your search, then take it to Data Explorer.

Get started with the Data Explorer documentation.

Panther's investigation and search features

In addition to Search and Data Explorer, Panther offers other features that allow you to quickly and efficiently search your data. Expand the boxes below to learn more.

Standard Fields

Panther's log analysis applies normalization fields (IPs, domains, etc) to all log records. These fields standardize names for attributes across all data sources enabling fast and easy data correlation. For more information, see Standard Fields.

Saved and Scheduled Searches

With Saved Searches you can save, reuse, update, and delete searches you've created in Search, Data Explorer, or using the CLI workflow. This means you don't need to rewrite or rebuild a query over and over, each time you want to run it.

Panther's Scheduled Searches are Saved Searches that have been configured to run on a schedule. They can be associated to Scheduled Rules, which allows you to use the data returned from the search as event input to the rule, as opposed to streaming in real-time data. As a Scheduled Search runs, if a corresponding returns any hits, one or more Alerts will be generated from the data and dispatched accordingly.

For more information, see Saved and Scheduled Searches.

Search History

The Search History page displays the last 30 days of searches run in the Panther Console. Clicking on the search name will direct you to Search or Data Explorer where you can see the results and rerun the search. You can also cancel a running search. For more information, see Search History.

Example searches

Panther offers common use cases and example searches you may want to run while investigating suspicious activities in your logs:

Available databases

For a list of databases that are available for analysis in Panther, see Data Lakes.

Troubleshooting Panther's search tools

Visit the Panther Knowledge Base to view articles about analyzing data that answer frequently asked questions and help you resolve common errors and issues.

PreviousTech Partner Alert Destination Integrations NextSearch

Last updated 3 months ago

Was this helpful?