Links

Investigations & Search

Using Panther's search tools to run queries and search your normalized log data

Overview

Panther's data analysis tools enable you to search collected and normalized log data in your security data lake. You can quickly dig across log sources with Indicator Search, construct a search using Query Builder, or investigate robustly using SQL in Data Explorer.
As data is ingested into Panther, it is parsed and normalized, then stored in Snowflake. This is necessary for conducting investigations on historical data, as well as for writing rules, identifying baseline behaviors, and generating analytics.

Getting started searching your data in Panther

Determine where to start investigating

Your team has received an alert and it's time to investigate—but where should you start?
  • Indicator Search is the best place to start investigating if your search includes Panther's common indicators, or if you'd like to run a simple field name/value search across all log sources.
  • Query Builder is a good place to start if you have limited SQL knowledge, as it allows you to construct a query without SQL syntax. After creating your query, you're able to copy the SQL command generated for analysis in Data Explorer or external applications.
  • Data Explorer is the best place to start if you're conducting a complex or highly customized search—for example, you'd like to join database tables or control which fields are returned by adding additional clauses.
Indicator Search can run quick investigations on Panther's standardized Indicator fields across all logs monitored by Panther, as well as simple field name/value searches across all logs, with Simple Search.
With Indicator Search, you can answer common questions about suspicious activity without writing SQL, and view results in a simple visualization. Indicator Search also includes features that allow you to quickly drill down into a more granular view of the data, as well as pivot off any JSON event field.
See the instructions or overview video on Indicator Search to get started.

Starting with Query Builder

In Query Builder, you can construct a data query using filters instead of SQL syntax. You'll be prompted to choose from dropdown selector fields to indicate which table you'd like to examine—from there, you can add filters to narrow your search to only, say, results where field_xyz is some_specific_value.
Find out how to build your first query in the Query Builder documentation.

Starting with Data Explorer

In Data Explorer, you can write and execute SQL queries (with autocompletion) to search across your data, including log data, rule matches, and Panther's Standard Fields. You can also save and schedule queries, retrieve JSON rows to use as unit test events, download results in a CSV, and share the query and results with your team using a unique URL.
You can use Data Explorer by navigating there directly, or by starting in Indicator Search, where you are given the option to Open in Data Explorer, or in Query Builder, where you can copy your generated SQL, then take it to Data Explorer.
See the Data Explorer documentation to get started.

Panther's investigation and search features

In addition to Query Builder, Indicator Search, and Data Explorer, Panther offers other features that allow you to quickly and efficiently search your data. Expand the boxes below to learn more.
Standard Fields
Panther's log analysis applies normalization fields (IPs, domains, etc) to all log records. These fields standardize names for attributes across all data sources enabling fast and easy data correlation. For more information, see Standard Fields.
Saved and Scheduled Queries
With Saved Queries you can save, reuse, update, and delete SQL queries you've created in Data Explorer, Query Builder, or using the developer workflow. This means you don't need to rewrite or rebuild a query over and over, each time you want to run it.
Panther's Scheduled Queries are Saved Queries that have been configured to run on a schedule. They can be associated to Scheduled Rules, which allows you to use the data returned from the query as event input to the rule, as opposed to streaming in real-time data. As a Scheduled Query runs, if a corresponding Scheduled Rule returns any hits, one or more Alerts will be generated from the data and dispatched accordingly.
For more information, see Saved and Scheduled Queries.
Query History
The Query History page displays the last 30 days of SQL queries run through the Panther Console. Clicking on the query name will send you to the Data Explorer where you can see the results and rerun the query. You can also cancel a running query. For more information, see Query History.

Example queries

Panther offers common use cases and example queries you may want to run while investigating suspicious activities in your logs:

Available databases

For a list of databases that are available for analysis in Panther, see Data Lakes.

Troubleshooting Panther's search tools

Visit the Panther Knowledge Base to view articles about analyzing data that answer frequently asked questions and help you resolve common errors and issues.