Templated Searches
Export collections of paramaterized SQL expressions for reuse
PreviousSaved and Scheduled SearchesNextBehavioral Analytics and Anomaly Detection Template Macros (Beta)
Last updated
Was this helpful?
Export collections of paramaterized SQL expressions for reuse
Last updated
Was this helpful?
Templated Searches are (written in SQL) that contain variables. Template macros are Templated Searches which can be imported into other Saved Searches, and called with arguments (similar to function calls).
It is possible to save a Templated Search without defining it as a template macro. In this case, the query cannot be run elsewhere, and the variable values are provided in the same Saved Search.
Commonly run SQL expressions can be saved as template macros in a single, library-like Saved Search, making it easier to manage and reuse your complex SQL code. You could, for example, define "libraries" of related queries for the below areas:
Employee macros
Correlating macros
Enrichment macros
Templated Searches are defined in Panther by including -- pragma: template as the first line of SQL.
To demonstrate the usefulness of template macros, imagine you have a complex query (spanning, say, 50 lines of SQL) that requires a date range and username. Without template macros, each time you want to run this search, you must edit it to input a specific date range and username, which can be tedious and error prone.
Instead, this complex query can be created as a template macro (named user_activity_profile in the example below) in a Templated Search (named user queries in the example below), with variables for the date range and username.
You can then create a new query like the below, which imports the template macro (user_activity_profile) from the Templated Search (user queries) and call the macro, passing in username and date time values. You can then save this search (calling it run_user_activity_profile, for example), for even faster access.
You can create a Templated Search that uses variables without defining it as a macro. In this case, while the query cannot be imported in other Saved Searches, future execution of the query will be simpler, as all variable values are defined at the top of the file.
You can create a Templated Search in Data Explorer within the Panther Console, or locally, in the CLI workflow.
In the left-hand navigation bar of your Panther Console, click Investigate > Data Explorer.
In the SQL editor, add -- pragma: template at the top.
Create a SQL query that declares variables using {{}} (double curly brackets).
Example:
To set variable values, add statements like the following at the top of the file:
Example:
Click Save as, and provide values for the following fields:
Query Name: Add a descriptive name.
Tags: Add tags to help you group similar queries together.
Description: Describe the purpose of the query.
Default Database: Choose the database to query from.
Is this a Scheduled Query?: Toggle this ON if you would like this query to run on a defined interval.
If you toggle this ON, provide a time interval.
Click Save Query.
You can run a previously defined Templated Search in Data Explorer by opening it and providing variable values.
In the left-hand navigation bar of your Panther Console, click Investigate > Data Explorer.
In the upper-right corner, click Open Saved Query.
Select the Templated Search you would like to run, then click Open Query.
Ensure all variables in your SQL expression have values defined at the top of the file, in statements like the following:
Click Run Query.
Example
In the example below, the p and q variables are given values of 1 and 'queue', respectively.
Template macros are one or more Templated Searches that are exported, meaning they can be imported in other searches. It may be particularly useful to group multiple macros in one templated query, effectively creating a "library" of related macros.
You can create template macros in Data Explorer within the Panther Console, or locally, in the CLI workflow.
In the left-hand navigation bar of your Panther Console, click Investigate > Data Explorer.
In the SQL editor, add -- pragma: template at the top.
Create one or more SQL queries that declare variables using {{}} (double curly brackets).
Surround each templated query with:
Before the query: {% macro <macro name>(<variable_one>, <variable_two>) export %}
After the query: {% endmacro %}
Click Save as, and provide values for the following fields:
Query Name: Add a descriptive name.
This value will be used later, on import.
Tags: Add tags to help you group similar queries together.
Description: Describe the purpose of the query.
Default Database: Choose the database to query from.
Is this a Scheduled Query?: Leave this toggled OFF.
Click Save Query.
You can import previously created template macros, and run them by passing in variable values.
In the left-hand navigation bar of your Panther Console, click Investigate > Data Explorer.
In the SQL editor, add a -- pragma: template statement at the top.
Import your previously-defined macro with a statement structured like the following:
Call the macro, passing in values for its arguments, with a statement structured like the following:
Click Run Query.
Optionally save the query by clicking Save as.
When running a template macro in Data Explorer, you can view the expanded SQL statement (rather than only the template code) by adding -- pragma: show macro expanded below the -- pragma: template statement.
For example, if you run the below in Data Explorer:
The template will be replaced with the expanded SQL:
To create a Templated Search in the CLI workflow, follow the .
To create a Templated Search in the CLI workflow, follow the .