Links

Search

Construct a data query without writing SQL

Overview

OR filter functionality, filter grouping, and IoC searching are in open beta starting with Panther version 1.97, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.
In the Search tool in Panther, you can search across all of your data—including log events, rule matches, and more—without writing SQL. Use dropdown fields to create filter expressions, and group them using AND and OR functionality.
Filter expressions can be constructed in different ways: as key/value pairs, a free text search, or a regular expression search. Each of these can also use wildcard characters. You can combine different types of filter expressions in one search.
The Search page is shown. In the dropdown filters in the upper right hand corner, the following selections have been made: "Logs," "All tables," and "1/22/2024 15:11 UTC - 1/22/24 15:31 UTC." In the Search bars, the following filters have been defined: "Source Domain is apigateway.amazonaws.com" OR ".*aws:.*admin.*" Results are displayed below in a histogram and table.
When a search is run, a results table is displayed below a histogram visualizing the distribution of result events over time. The results table is customizable—you can add or remove event fields as columns. Also from the results table, you can add inclusive/exclusive filters to your search, pivot, and look up related enrichment data. You can collaborate with your team by downloading the results table, or sharing a link to your specific search in Panther.
Search is only available to customers with a Snowflake data lake. It is not available to Panther instances with an Athena data lake.
You can effectively search your data using a combination of filters. Start by making selections in the database, table, and date range filters—then create your own filter expressions.

Using database, table, and date range filters

Use the database, table, and date range filters to narrow the scope of your search. Using these controls is optional, but can significantly improve search performance when searching over large data sets. Learn more about each of these filters below.
The Search UI in Panther is shown. Three dropdowns in the upper-right corner are shown. The first has a selection of "Logs," the second has a selection of "All tables," and the third has a value of "Last 24 hours."

Database filter

Use the database filter to narrow your search to certain databases, such as only Logs or Rule Matches.
The default value of this filter is Logs. The options contained in the database filter are:
  • Rule Matches
  • Logs
  • Lookups
  • Monitor
  • Cloud Security
  • Rule Errors
Three dropdown fields are shown. The first one is open, and the checkbox next to "Logs" is selected. The middle dropdown has a selection of "All tables" made, and the third has a selection of "Last 24 hours."

Table filter

Use the table filter to narrow your search to certain tables, within the databases indicated by the database filter.
The default value of this filter is All tables, which includes all tables for each included database. You can narrow the search by selecting only certain tables in this dropdown.
Three dropdowns are shown: in the first, "Monitor" is selected. the second one is open, and the checkbox next to "Classification Failures" is checked. In the third dropdown, "Last month" is selected.

Date range filter

Use the date range filter to narrow your search to a certain period of time.
The default value of this filter is Last 20 mins. You can use the date range picker to set a custom date and time range, or select one of the preset relative options on the left-hand side.
A date and time picker is shown. On the left-hand side there are preset relative values, like "Last hour," "Last 3 days," etc. On the right-hand side is a calendar picker, as well as dropdown fields to select the time. At the bottom are "Cancel" and "Apply" buttons.

Creating filter expressions

A filter expression is a clause containing your key/value search logic, free search terms, or match patterns. To create filter expressions, click the Add search filter bar or use the command + / keyboard shortcut.
The Search tool is shown. The search bar, which has placeholder text of "Add search filter," is empty. It is circled.

Key/value filter expression

With a key/value filter expression, you will select an event key and provide a value (if necessary).
In the Search bar is one filter expression. It reads "Emails has john.doe@email.com"
To create a key/value filter expression:
  1. 1.
    Click the Add search filter bar, or press command+/.
  2. 2.
    Select an event key from the dropdown list. The dropdown menu contains options grouped into the following categories:
    • Panther Fields: Includes Indicator Fields (also known as p_any fields), and Core Fields (p_udm fields), which are useful when searching across log types.
      In the Search bar, a dropdown shows "Panther Fields" including Actor IDs, AWS Account IDs, and AWS ARNs
    • Multiple tables: Fields that are found in more than one log type.
      In the Search bar, there is a dropdown showing "Multiple Tables" options, including apiVersion, kind, and level
    • All remaining tables with a matching field(s) are displayed in alphabetical order.
  3. 3.
    Select an operator (also known as a condition) from the dropdown menu.
    • The dropdown options will be limited to those applicable to the selected field's data type.
    • See a full list of available operators on Search Filter Operators.
  4. 4.
    Enter a value, if the selected operator requires one.
  5. 5.
    If you would like to create another filter expression:
    • To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
    • To create an OR filter, click + Add OR Condition.
  6. 6.
    When you are ready to execute your search, click Search or press ENTER.
    • If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.
You can also quickly create key/value filter expressions from the results set of an initial search.

Free text filter expression

In a free text filter expression, you will enter a string.
Free text filter expressions search every field in every event (within the database, table, and date constraints), including fields nested in complex objects.
To increase search performance, select a subset of tables to search.
To create a free text filter expression:
  1. 1.
    Click the Add search filter bar, or press command+/.
  2. 2.
    Enter the text value.
  3. 3.
    If you would like to create another filter expression:
    • To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
    • To create an OR filter, click + Add OR Condition.
  4. 4.
    When you are ready to execute your search, click Search or press ENTER.
    • If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.

Regular expression (regex) filter expression

Using regex in Search can be powerful for dynamic text-based searches across logs. Search supports POSIX-extended regular expressions.
A single filter expression is created in the Search bar. It reads ".*aws:.*admin.*"
To create a regex filter expression:
  1. 1.
    Click the Add search filter bar, or press command+/.
  2. 2.
    Press command+/ to enter into regex mode.
    • To exit regex mode, you can press command+/ again.
  3. 3.
    Enter the regular expression you wish to search, e.g., .*aws:.*admin.*.
  4. 4.
    If you would like to create another filter expression:
    • To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
    • To create an OR filter, click + Add OR Condition.
  5. 5.
    When you are ready to execute your search, click Search or press ENTER.
    • If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.

Using wildcards in filter expressions

The wildcard character (*) may be used as a placeholder at the beginning, middle, or end of a string or expression. The wildcard character may be used within a key/value filter expression (only where the key has type: string and the operator is LIKE), free text filter expression, or regex filter expression.
The position of the wildcard character determines which data is returned as a match:
  • Beginning: Any character(s) at or preceding the * are considered a match.
  • Middle: Any character(s) at the * are considered a match.
  • End: Any character(s) at or following the * are considered a match.
The Search bar has three filter expressions: "Log Type is not Windows.EventLogs" "Log Type like AWS*Flow" and "ACCE*"

Searching Indicators of Compromise

When responding to a public breach disclosure or threat hunting generally, you may need to quickly find out whether any values in a list of Indicators of Compromise (IoCs) are found across any of your organization's event logs.
To search IoCs in Search:
  1. 2.
    Click the Add search filter bar, or press command+/.
  2. 3.
    Type or paste in the indicator or list of indicators.
  3. 4.
    From the dropdown options that appear, select the (auto-detect) option.
  4. 5.
    Click Search or press ENTER.

Video walkthrough

Creating a Saved Search means you can quickly reuse commonly run searches. Learn more on Saved and Scheduled Searches.
To create a Saved Search:
  1. 1.
    Create a search by following the instructions in How to use Search.
  2. 2.
    Under the Add search filter box, click Save As.
    The Search UI is shown, with one filter expression created ("kind is http"). Below the search bar, the "Save As" text is circled.
  3. 3.
    Enter values for the fields in the popup modal:
    • Search Name: Add a descriptive name.
    • Tags (optional): Add tags. Tags can be helpful to group related searches.
    • Description (optional): Describe the purpose of the search.
  4. 4.
    Click Save Search.
    • See the next section to learn how to open and reuse Saved Searches.

Open and reuse a Saved Search in the Search tool

After creating a Saved Search in the Search tool, you can view and reuse it. It can be opened from the Search page, or from the Saved Searches page.
Search page
Saved Searches page

Open a Saved Search from the Search page:

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Investigate > Search.
  2. 2.
    In the upper right corner, click the three dots icon, then Open Saved Search.
    • An Open a Search modal will pop up, displaying previously saved search.
  3. 3.
    Find the search you'd like to open, select it, then click Open Search.
    • The Saved Search will populate in Search.

Open a Saved Search from the Saved Searches page:

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Investigate > Saved Searches.
  2. 2.
    Find the search you'd like to open, utilizing the search bar and Filters at the top, if necessary.
  3. 3.
    In the top right corner of the search's tile, click the three dots icon.
  4. 4.
    Click View in Search.
    • You will be redirected to Search, where the Saved Search will populate.

Analyzing Search results

The results of a Search contain a histogram, a table of result events, and summary visualizations.

Search results histogram

The results histogram displays the distribution of events within the search's date and time window, to help quickly contextualize results. To zoom in or out of a particular segment of time, click and drag the ends of the bar beneath the histogram.
The Search results histogram is shown. It has a number of purple bars sticking up, corresponding to different dates and times.

Interacting with the histogram

To see additional data insights into the counts by log type for any of the time periods, hover over a bar within the chart.
A tooltip in the Search results histogram displays the date and time, then three different log sources and the number of hits for each.
To create a new search (in a new browser tab) with a time period set to that of one of the histogram bars, click the bar.

Adding, removing, and reordering fields in the results table

You can customize a search's results table by adding, removing, and reordering columns.

How to add a column in the Search results table

You can add a column to the Search results table using the Available Fields list on the left-hand side of the table, or from the JSON event view.
It is only possible to add nested fields to the table from the JSON event view.
Available Fields list
JSON event view

Add a column to the Search results table from the Available Fields list

  1. 1.
    In the field list on the left-hand side of the results table, within the Available Fields header, locate the column you'd like to add to the results table.
    A list of event fields is displayed underneath an "Available Fields" header.
    • Only top-level fields are shown in this list. If you'd like to add a nested field to the table, you can do so from the JSON event view.
  2. 2.
    To the right of the field, click + (the plus symbol).
    • The field will be added as a column in the results table, and listed on the left-hand side of the table within Selected Fields.

Add a column to the Search results table from the JSON event view

  1. 1.
    In the results table, click on a row to open the JSON event view slide-out panel.
  2. 2.
    Locate the field you'd like to add to the results table.
  3. 3.
    While hovering over the field, click + (the plus symbol).
    The JSON event view of a log is shown. To the right of one field, the plus button is circled.
    • The field will be added as a column in the results table, and listed on the left-hand side of the table within Selected Fields.

How to remove a column in the Search results table

You can remove a column from the Search results table using the Selected Fields list on the left-hand side of the table, from the JSON event view, or from the table header row.
Selected Fields list
JSON event view
Table header row

Remove a column from the Search results table from the Selected Fields list

  1. 1.
    In the field list on the left-hand side of the results table, within the Selected Fields header, locate the field you'd like to remove from the results table.
  2. 2.
    To the right of the field, click - (the minus symbol).
    Under the "Selected Fields" header, there are log fields. To the right of "PantherAudit.actionName" the minus button is hovered over. Its tooltip reads, "Remove column"
    • The field's column will be removed from the results table, and listed on the left-hand side of the table within Available Fields.

Remove a column from the Search results table from the JSON event view

  1. 1.
    In the results table, click on a row to open the JSON event view slide-out panel.
  2. 2.
    Locate the field you'd like to remove from the results table.
  3. 3.
    While hovering over the field, click - (the minus symbol).
    The JSON event view of a log is shown. To the right of one field, the minus button is circled.
    • The field's column will be removed from the results table, and listed on the left-hand side of the table within Available Fields.

Remove a column from the Search results table from the header row

  1. 1.
    In the results table, hover over the header of the column you'd like to remove.
  2. 2.
    On the right side of the column header, click X.
    A header reading "GitHubAudit.config.content_type" is shown, and the "X" to its right is circled.
    • The field's column will be removed from the results table, and listed on the left-hand side of the table within Available Fields.

How to reorder columns in the Search results table

  • Reorder the columns in the results table by clicking on a column header and dragging it to the desired position.

Search results summary charts

Within the results of a Search, the Summary tab displays bar charts for field values, which can help provide quick insights into your data. To view these charts, click Summary.
In the "Table | Summary" tabs, "Summary" has been selected. Two charts are shown, "Log Type" and "Destination Bytes"
How to add or remove summary charts
Add or remove visualizations for event fields using the Available Fields and Selected Fields lists on the left-hand side of the results panel. Adding or removing a field shows or hides the field both as a chart and as a column in the results table.
To add a visualization:
  • Within the Available Fields list, to the right of a field's name, click +.
    Under an "Available Fields" header is a "Panther Fields" header, then a field called "Destination ARNs." To its right is a plus sign that's been hovered over; its tooltip reads "Add as column."
To remove a visualization:
  • Within the Selected Fields list, to the right of a field's name, click .
    Under a "Selected Fields" header are three fields: "Log Type," "Destination Bytes," and "Destination IP." To their right is a minus sign, one has been hovered over; its tooltip reads "Remove column."
How to set the sort order of a chart
To sort results in ascending order (lowest to highest):
  • In the upper-right corner of a visualization, click the icon with an arrow pointing downward:
    An icon with an arrow pointing downward has been hovered over, its tooltip reads, "Sort Ascending"
To sort results in descending order (highest to lowest):
  • In the upper-right corner of a visualization, click the icon with an arrow pointing upward:
    An icon with an arrow pointing downward has been hovered over, its tooltip reads, "Sort Descending"
How to expand or condense the number of values shown in a chart
  • To view the first 20 values in a visualization, in its lower-right corner, click Show More. To view only the first five values in a visualization, in its lower-right corner, click Show Less.
Directly from the search results table, JSON event view, and summary charts, you can create inclusive/exclusive filters, replace filter expressions with a results value, and explore enrichment data.

How to create an inclusive or exclusive filter expression from results

Results table
Results summary chart

How to create a filter expression from the results table

The same ability to create include or exclude filters is available from within the JSON event view, when hovering over a field.
  1. 1.
    In the results table, hover over the value you'd like to create an inclusive or exclusive filter expression for.
    A column called "LOG TYPE" is shown. The second value has been hovered over, and two filter icons—one with a plus, one with a minus—are shown on top of the value.
    • To create an inclusive filter, click
      A filter icon with a plus sign.
      .
    • To create an exclusive filter, click
      A filter icon with a minus sign.
      .
  2. 2.
    View the new filter expression in the search bar at the top of the window.
  3. 3.
    To refresh the search results, click Search.

How to create a filter expression from a summary chart

  • Within a summary chart, hover over a row value.
    Next to an IP address are two filter icons. One has a tooltip reading "Filter out value"
    • To create an inclusive filter, click
      A filter icon with a plus sign.
      .
    • To create an exclusive filter, click
      A filter icon with a minus sign.
      .

How to replace filter expressions with a value from results

Results table
Results summary chart

How to replace filter expressions with a value from the results table

  1. 1.
    In the results table, locate the event row of interest, and click it.
    • The JSON event slide-out panel will be shown.
  2. 2.
    In the JSON event slide-out panel, hover over the field on which you'd like to pivot.
    A JSON event slide-out panel is shown. To the right of one of the event fields, the replace icon (a magnifying glass) is hovered over.
  3. 3.
    Click the replace icon
    A magnifying glass icon
    .
    • All existing filters are replaced with a filter expression representing only the key/value you pivoted on.
  4. 4.
    To refresh the search results, click Search.

How to replace filter expressions with a value from summary charts

  1. 1.
    Within a summary chart, hover over the value you would like to replace filter expression values with.
    The Summary tab shows a chart for Log Type. Panther.Audit has been hovered over, and several icons are visible, including a magnifying glass.
  2. 2.
    Click the replace icon
    A magnifying glass icon
    .
    • All existing filters are replaced with a filter expression representing only the key/value you pivoted on.
  3. 3.
    To refresh the search results, click Search.

How to explore enrichment data for a value from results

Results table
Results summary chart

How to explore enrichment data for a value from the results table

  1. 1.
    In the results table, locate the event row of interest, and click it.
    • The JSON event slide-out panel will be shown.
  2. 2.
    In the JSON event slide-out panel, hover over the value you'd like to explore enrichment data for.
    The p_any_ip_addresses field is shown, and next two one of its values is a series of icons. The table icon is hovered over.
  3. 3.
    Click the enrichment icon
    A small database table icon
    .
  4. 4.
    In the Lookup Enrichment pop-up modal, use the LOOKUP TABLE column to locate the row of the enrichment source you would like to explore, then click View JSON→.
    The Lookup Enrichment modal has two rows, with differing Lookup Table values. The first row's "View JSON" button is circled.
    • The enrichment entry will be shown.
      The Lookup Enrichment modal shows an ipinfo_asn entry in JSON.

How to explore enrichment data for a value from a summary chart

  1. 1.
    Within a summary chart, hover over a value for which you would like to explore enrichment data.
    A summary chart for the IP Addresses field is shown, and next two one of its values is a series of icons. The table icon is hovered over.
  2. 2.
    Click the enrichment icon
    A small database table icon
    .
  3. 3.
    In the Lookup Enrichment pop-up modal, use the LOOKUP TABLE column to locate the row of the enrichment source you would like to explore, then click View JSON→.
    The Lookup Enrichment modal has two rows, with differing Lookup Table values. The first row's "View JSON" button is circled.
    • The enrichment entry will be shown.
      The Lookup Enrichment modal shows an ipinfo_asn entry in JSON.
While investigating or threat hunting, it may be useful to share a Search or a results set with your team. To do this:
  1. 1.
    In the upper-right corner of the results table, click Share:
    The results table is shown. In the upper-right corner, the Share button's menu is open, displaying two options: Copy link to view and Download CSV. This button and its options are circled.
  2. 2.
    Select one of the menu options:
    • Copy link to view: Copies a URL to this specific Search to your clipboard.
    • Download CSV: Downloads a CSV of the results table.
      • Note that the downloaded CSV file contains only the first 1,000 results. To download the full results set, use Data Explorer. (You can click Copy as SQL in Search to quickly recreate it in Data Explorer.)