Saved and Scheduled Searches
Save and optionally schedule searches
Last updated
Was this helpful?
Save and optionally schedule searches
Last updated
Was this helpful?
You can avoid repeatedly creating the same searches in Panther's and by saving your searches. You can also schedule searches created in Data Explorer, which allows you to then run results against a rule and alert on matches. This workflow includes the following features:
, a preserved search expression.
, a Saved Search that you can schedule to run on a designated interval.
, a detection that's associated with a Scheduled Search. The data returned each time the search executes is run against the detection, alerting when matches are found.
By default, each Panther account is limited to 10 active Scheduled Searches. This limit is only precautionary, and can be increased via a support request. There is no additional cost from Panther for raising this limit, however you may incur extra charges from the database backend, depending on the volume of data processed.
A Saved Search is a preserved search expression. Saving the searches your team runs frequently can help reduce duplicated work. You can create Saved Searches (in either Search or Data Explorer), or .
You can also add variables in your Saved Searches, creating Templated Queries. Learn more on .
A Scheduled Search is a Saved Search that has been configured to run on a schedule. Using the Panther Console, currently only —Saved Searches created in Search (including those created in both SQL and ) cannot be scheduled. You can alternatively .
Panther's Scheduled Search crontab uses the standard crontab notation consisting of five fields: minutes, hours, day of month, month, day of week. Additionally, you will find a search timeout selector (with a maximum value currently set at 10 minutes). The expression will run on UTC.
The interpreter uses a subset of the standard crontab notation:
If you want to specify day by day, you can separate days with dashes (1-5 is Monday through Friday) or commas, for example 0,1,4 in the Day of Week field will execute the command only on Sundays, Mondays and Thursdays. Currently, we do not support using named days of the week or month names.
Using the crontab allows you to be more specific in your schedule than the Period frequency option:
You can delete Saved Searches individually or in bulk. Note that if a Saved Search is scheduled (i.e., it's a Scheduled Search), it must be unlinked from any Scheduled Rules it's associated to in order to be deleted.
In the left-hand navigation bar of your Panther Console, click Investigate > Saved Searches.
In the list of Saved Searches, find the search or searches you'd like to download or delete. Check the box to the left of the name of each search.
If you clicked Download, a saved_queries.zip file will be downloaded.
In the left-hand navigation bar of your Panther Console, click Investigate > Saved Searches.
In the dropdown menu, click Edit Search Metadata.
Click Update Query to save your changes.
To edit a Saved Search's name, tags, description, and default database (and, for Scheduled Searches, whether it's active, and the period or cron expression):
In the left-hand navigation bar of your Panther Console, click Investigate > Saved Searches.
In the dropdown menu, click Edit Search Metadata.
Make changes in the Update Search form as needed.
Click Update Search.
On the Saved Searches page, you can search for queries using:
The search bar at the top of the queries list
The date range selector in the upper right corner
The Filters option in the upper right corner
Filter by whether the query is scheduled, whether its active, its type (Native SQL, Search, or PantherFlow Search), or by up to 100 tags.
Click on the name of the Saved Search to be taken directly to Data Explorer (for Native SQL queries) or Search (for Search and PantherFlow Search searches) with the query populated.
LIMITs in Scheduled SearchesIn the Panther Data Lake settings page, you can optionally enable a setting that will check if a Scheduled Search has a LIMIT clause specified. Use this option if you're concerned about a Scheduled Search unintentionally returning thousands of results, potentially resulting in alert delays, Denial of Service (DoS) for downstream systems and general cleanup overhead from poorly tuned queries.
Click the Data Lake tab.
When this field is set to ON, any new Scheduled Searches marked as active cannot be saved unless a LIMIT clause is specified in the query definition.
Existing Scheduled Searches without a LIMIT clause will appear with a warning message in the list of Saved Searches, and edits cannot be saved unless a LIMIT clause is included.
The setting only checks for the existence of a LIMIT clause anywhere in the Saved Search. It does not check specifically for outer LIMIT clauses.
You can export a .zip file of all of the detections and Scheduled Searches in your Panther Console:
In the left-hand navigation bar of your Panther Console, click Detections.
In the upper-right corner, click Upload.
In the Bulk Uploader modal, click Download all entities.
Required fields are in bold.
A complete list of Saved Search specification fields:
AnalysisType
Indicates whether this analysis is a Rule, Policy, Scheduled Search, Saved Search, or global.
saved_query
QueryName
A friendly name to show in the UI.
String
Tags
Tags used to categorize this rule.
List of strings
Description
A brief description of the rule.
String
Query
String
Required fields are in bold.
A complete list of Scheduled Search specification fields:
AnalysisType
Indicates whether this analysis is a Rule, Policy, Scheduled Search, Saved Search, or global.
scheduled_query
QueryName
A friendly name to show in the UI.
String
Enabled
Whether this rule is enabled.
Boolean
Tags
Tags used to categorize this rule.
List of strings
Description
A brief description of the rule.
String
Query
A data query.
String
Schedule
The schedule that this query should run. Expressed with a CronExpression or in Rate Minutes. TimeoutMinutes is required to release the query if it takes longer than expected. Note that cron and rate minutes are mutually exclusive.
Map
<api-token> : The you generated.
When your Saved Search is uploaded, each of the fields you would normally populate in the Panther Console will be auto-filled. See for a complete list of required and optional fields.
See the POST operation on .
Note that creating a Scheduled Search alone won't run the returned data against detections or send alerts. To do this, you must also , and associate it with your Scheduled Search.
accounts: Your company will incur costs on your database backend every time a Scheduled Search runs. Please make sure that your searches can complete inside the specified timeout period. This does not apply to accounts that use Panther-managed Snowflake.
If you haven't yet created a Saved Search in Data Explorer, follow the instructions, paying attention to Is this a Scheduled Search? in Step 4.
If you've already saved the search in Data Explorer, follow the , paying attention to Step 6.
Writing a Scheduled Search locally means creating a file that defines a SQL query on your own machine, then uploading it to your Panther instance (typically via the ).
It's best practice to create a fork of Panther's , but you can also create your own repo from scratch.
A YAML file (.yml or .json extension) containing .
View an .
We recommend grouping searches into folders based on log/resource type. You can use the open source repo as a reference.
See the full list of available fields in the .
<api-token> : The you generated.
When your Scheduled Search is uploaded, each of the fields you would normally populate in the Panther Console will be auto-filled. See for a complete list of required and optional fields.
See the POST operation on .
At the top of the page, click either Download or Delete.
If you clicked Delete, an Attention! modal will pop up. Click Confirm.
Find the Scheduled Search you'd like to deactivate, and in the upper right corner of its tile, click the three dots icon.
In the Update Search form, toggle the setting Is it active? to OFF to disable the query.
Locate the query you'd like to edit, and click the three dots icon in the upper right corner of its tile.
Scheduled Searches that result in a timeout will generate a to identify that the Scheduled Search was unsuccessful.
In the upper right corner of the Panther Console, click the gear icon. In the dropdown menu that appears, click General.
Scroll down to the Scheduled Queries header. Below the header, you will see the LIMIT clause toggle setting:
Toggle the LIMIT Clause for Scheduled Queries setting to ON to start enforcing LIMITs in Scheduled Queries.
A data query. Must be written in SQL (i.e., cannot be ).
