Knowledge BaseCommunityRelease NotesTry Panther
Search
⌃K
Links

Indicator Search

Use Indicator Search in Panther to run investigations on common indicators across data sources

Overview

Indicator Search lets you quickly search across your ingested data for common indicators, Panther’s standardized Indicator Fields, without writing SQL.
You can also use Indicator Search's Simple Search functionality to search for any field key/value pair, across all your various log sources. With Simple Search, only matches from log sources containing the exact field name searched will be returned.
Access to the Indicator Search can be limited through the Role-Based Access Control system.

Indicator Search overview video

Indicator Search overview
  1. 1.
    Log into the Panther Console and click Investigate > Indicator Search.
  2. 2.
    Copy and paste indicator(s) into the search field.
    • The search will find all connected events associated with the indicators in the specified time range.
    • You can mix types of indicators (e.g., IP addresses, domain names, ARNs, file hashes). If you enter multiple indicators or indicator types, the search will execute with an OR condition - for example, indicator 1 OR indicator 2.
  3. 3.
    Choose a Field to search. Learn more about the Field selector below.
  4. 4.
    Select a time range.
  5. 5.
    Click the magnifying glass icon to search.
    The image shows the full results page after performing an Indicator Search.
A timeline histogram shows the concentration of events over the specified time interval.
You can drill down into specific events by pivoting into the Data Explorer with prebuilt SQL queries. Find additional indicators in the Data Explorer and perform another search to gain additional context about the attack.
Continue to pivot through your data to map the entire attacker footprint.

Field selection

The Indicator Search includes a Field selector, where you can choose the log field containing the indicator you're searching for.
The Indicator Search page is shown, which contains the following fields: a textfield to enter your indicators to search for, a "Field" field, where you pick the type of data, e.g. Auto Detect Type, Simple Search, Aws Account Ids, etc.

Auto Detect Type

Auto Detect Type is the default value for the Field selector. If Auto Detect Type is used, the structure of the indicators entered will be analyzed for type identification (to decipher that they're, for example, IP addresses or AWS ARNs), and the corresponding p_any_ field will be searched. If the indicators do not have a structure that makes their type identifiable (e.g., usernames), then all fields that could match will be searched.
If you are searching for indicators that span multiple field types (say for a domain name and an ARN), Auto Detect Type must be used.
When searching for indicators that do not have a unique structure, such as usernames, it's more efficient to choose the relevant type from the Field dropdown, than to use Auto Detect Type. By picking the specific type, Panther's search is limited to the associated p_any_ field, rather than searching all fields that could match.
Another Field option is Simple Search. Simple Search lets you search for any field name and value pair (beyond the standardized Indicator Fields), across all logs. When using Simple Search, the format of the search input must be <attribute path>='<attribute value>'. All logs with <attribute path> will be searched for <attribute value>.
Fields you might search with Simple Search, however, have not been mapped to corresponding fields (with different syntax) in different log sources—meaning only matches from log sources containing the exact field name searched will be returned. For example, if one of your log sources (log source A) has a field named best_skateboarders and another log source (log source B) has a field named best_skateboarders_ever and you search best_skateboarders='Tony Hawk', only log source A's events will be searched for instances of Tony Hawk.
A Simple Search is created when you pivot on a non-p_any_ JSON event field, as is shown in the example below. To learn more about which log field to pivot from, see Pivoting on a regular field vs. its p_any_ field.

Example

Take the following Data Explorer results, from which a quick Indicator Search was run:
From Data Explorer results, a quick Indicator Search was run on a field called actionName with a value of GET_ORGANIZATION_METRICS. A daterange is set, and 344 hits were found. There is a link at the bottom that says View in Indicator Search.
Selecting View in Indicator Search brings you to Indicator Search, where you will see the the following inputs:
On the Indicator Search page, in the indicator search field, is actionName='GET_ORGANIZATION_METRICS'. In the Field selector, Simple Search has been selected.

Drill Down

You can use the Indicator Search timeline histogram to switch from a more general view of the results to a more specific view. This makes it easy to instantly shift from an overview of events to a more detailed and granular view within the same dataset. This same histogram is available when viewing Query Builder results.
A typical workflow looks like the following:
  1. 1.
    Execute a search.
  2. 2.
    In the results section, hover over the histogram bars to see the count of events for a specific period.
  3. 3.
    Click a histogram bar to search for events over that specific time period.
    The image shows the Indicator Search results page. An arrow points at a bar in a histogram chart, and the time range of the result is circled by a dashed line.
  4. 4.
    After clicking on the histogram bar, a new tab will open containing detailed results for the time period you selected. You can continue clicking on histogram bars in each new tab to drill down further.
    The image shows three separate screens where each subsequent search drills down further into the data.
  5. 5.
    If you'd like to explore your Indicator Search results further, transfer the query to Data Explorer by clicking the share icon in any of the "Total Hits" tiles below the histogram chart, or scroll down below the histogram chart and click Open in Data Explorer.
    • The page will open with a pre-populated SQL query.
      The image shows Data Explorer with a SQL query in the New Query code box.

Pivoting

Indicator Search can also be accessed from the "Events" tab of an alert details page, or from Data Explorer results. This makes it easy to quickly pivot off a value in an event. Note that pivoting off a p_any_ field will leverage the standardized Indicator Fields, while pivoting off a non-p_any_ field will create a Simple Search.
To access Indicator Search from the event JSON on an alert details page or in Data Explorer results:
  1. 1.
    Hover over any field value in the JSON and click the search icon that appears:
    The image shows a magnifying glass icon circled next to an indicator.
  2. 2.
    Select the date range you would like to search against:
    The image shows a date range selected, and a blue search button next to the date range fields. The screen displays a message that says "Nothing searched yet."
  3. 3.
    Click the magnifying glass icon to search.
    • The search will return hits of your searched value across all log types. You can investigate these events further by clicking on a tile, which will redirect you to the Data Explorer, or View in Indicator Search, which will redirect you to Indicator Search.
      Results from an Indicator Search initiated by a magnifying glass click are shown. Arrows point to a results tile as well as the View in Indicator Search link.

Pivoting on a regular field vs. its p_any_ field

As log events from a certain source are ingested, the values of the fields marked as indicators in its schema will be extracted into the corresponding p_any_ fields (as designated in the schema's indicators field). The original log field and the appended associated p_any_ field will then have the same value, visible in the event's JSON.
Take, for example, the below snippet of JSON from a log event associated with an alert. Notice how access_device.hostname and p_any_domain_names both have a value of DESKTOP-OG33GT1.
A snippet of JSON from a log event is shown, with fields like access_device (with sub fields like hostname and ip), application, auth_device, and p_any_domain_names
Pivoting on the lower p_any_domain_names field (by hovering over it, clicking the magnifying glass, then clicking View in Indicator Search), will result in a pre-populated Indicator Search with DESKTOP-OG33GT1 in the search bar and Auto Detect Type selected in the Field dropdown. Auto Detect Type will determine that DESKTOP-OG33GT1 is a domain name. Executing this search will scan the p_any_domain_names field of all logs, across sources, for DESKTOP-OG33GT1 .
Indicator Search's input fields are shown. In the main search bar is DESKTOP-OG33GT1, and the Field dropdown has Auto Detect Type selected
Alternatively, pivoting on the original field, access_device.hostname (by hovering over it, clicking the magnifying glass, then clicking View in Indicator Search), will result in an Indicator Search using Simple Search. Executing this search will scan all logs containing an access_device.hostname field for DESKTOP-OG33GT1. Logs from other sources with fields that might contain hostname values, but that don't have the exact access_device.hostname syntax (say they, for example, use device.hostname), will not be searched for DESKTOP-OG33GT1, nor returned in the result set.
Indicator Search's input fields are shown. In the main search bar is access_device.hostname = 'DESKTOP-OG33GT1' and in the Field selector, Simple Search has been chosen
The Simple Search for DESKTOP-OG33GT1 is therefore limited in scope compared to the search leveraging Panther's Indicator Fields. For this reason, it's recommended to pivot on p_any_ fields, when possible.
Previous
Query Builder Filter Operators
Next
Data Explorer
Last modified 27d ago