Search
Construct a data query without writing SQL
Last updated
Was this helpful?
Construct a data query without writing SQL
Last updated
Was this helpful?
In the Search tool in Panther, search across all of your data—including log events, rule matches, and more—without writing SQL. You can use dropdown fields to create filter expressions, and group them using AND and OR functionality. It's also possible to execute queries in Search.
Filter expressions can be constructed in different ways: as , a search, or a search. Each of these can also use . You can combine different types of filter expressions in one search.
You can effectively search your data using:
Use the database, table, and date range filters to narrow the scope of your search. Using these controls is optional, but can significantly improve search performance when searching over large data sets. Learn more about each of these filters below.
Use the database filter to narrow your search to certain databases, such as only Logs or Rule Matches.
The default value of this filter is Logs. The options contained in the database filter are:
Rule Matches
Logs
Lookups
Monitor
Cloud Security
Rule Errors
Signals
The default value of this filter is All tables, which includes all tables for each included database. You can narrow the search by selecting only certain tables in this dropdown.
Use the date range filter to narrow your search to a certain period of time.
The default value of this filter is Last 20 mins. You can use one of the preset relative options (like Last hour or Last week), set your own relative window with Relative time, remove the time constraint with All time, or set a specific window with Custom range.
With a key/value filter expression, you will select an event key and provide a value (if necessary).
To create a key/value filter expression:
Select an event key from the dropdown list. The dropdown menu contains options grouped into the following categories:
All remaining tables with a matching field(s) are displayed in alphabetical order.
Select an operator (also known as a condition) from the dropdown menu.
The dropdown options will be limited to those applicable to the selected field's data type.
Enter a value, if the selected operator requires one.
If you would like to create another filter expression:
To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
To create an OR filter, click + Add OR Condition.
When you are ready to execute your search, click Search or press ENTER.
If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.
In a free text filter expression, you will enter a string.
To create a free text filter expression:
Enter the text value.
If you would like to create another filter expression:
To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
To create an OR filter, click + Add OR Condition.
When you are ready to execute your search, click Search or press ENTER.
If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.
To create a regex filter expression:
Enter the regular expression you wish to search, e.g., .*aws:.*admin.*.
If you would like to create another filter expression:
To create an AND filter, click outside the expression you just created (but within the same horizontal bar), or press TAB.
To create an OR filter, click + Add OR Condition.
When you are ready to execute your search, click Search or press ENTER.
If there are more than two rows, they will collapse. To expand all filters into view, click Show +n conditions.
The position of the wildcard character determines which data is returned as a match:
Beginning: Any character(s) at or preceding the * are considered a match.
Middle: Any character(s) at the * are considered a match.
End: Any character(s) at or following the * are considered a match.
When responding to a public breach disclosure or threat hunting generally, you may need to quickly find out whether any values in a list of Indicators of Compromise (IoCs) are found across any of your organization's event logs.
To search IoCs in Search:
Type or paste in the indicator or list of indicators.
From the dropdown options that appear, select the (auto-detect) option.
Each filter expression is joined by an OR.
Click Search or press ENTER.
Use the keyboard shortcuts below when building filter expressions in Search:
Add filter expression Enter or exit regex mode
⌘/
⌃/
Select all filters in the current group
⌘A
⌃A
Copy selected filters
⌘C
⌃C
Paste
⌘V
⌃V
Undo
⌘Z
⌃Z
Redo
⇧⌘Z
⇧⌃Z
Delete selected filters
⌫
⌫
In the left-hand navigation bar of your Panther Console, click Investigate > Search.
This will replace the filter expression builder with a PantherFlow code editor.
Enter your PantherFlow query.
If your PantherFlow query does not specify a database/table, the database, table, and date range filters are all applied. In this scenario, if your PantherFlow query includes a date/time range (with a | where p_event_time ... statement), both date/time ranges are applied—i.e., returned data must fall within the date/time range set in both the date range filter and the range defined by the | where p_event_time ... statement.
Click Search.
To create a Saved Search:
Under the Add search filter box, click Save As.
Enter values for the fields in the popup modal:
Search Name: Add a descriptive name.
Tags (optional): Add tags. Tags can be helpful to group related searches.
Description (optional): Describe the purpose of the search.
Click Save Search.
See the next section to learn how to open and reuse Saved Searches.
After creating a Saved Search in the Search tool, you can view and reuse it. It can be opened from the Search page, or from the Saved Searches page.
In the left-hand navigation bar of your Panther Console, click Investigate > Search.
In the upper right corner, click the three dots icon, then Open Saved Search.
An Open a Search modal will pop up, displaying previously saved search.
Find the search you'd like to open, select it, then click Open Search.
The Saved Search will populate in Search.
The results histogram displays the distribution of events within the search's date and time window, to help quickly contextualize results.
After a search is run, the histogram is shown collapsed by default. You can expand it by clicking the diagonal arrows button in the upper-right corner of the chart. Clicking the button again will collapse the chart.
To see additional data insights into the counts by log type for any of the time periods, hover over a bar within the chart.
To drill down and create a new search (in a new browser tab) with a time period set to that of one of the histogram bars, click the bar.
In the field list on the left-hand side of the results table, within the Available Fields header, locate the column you'd like to add to the results table.
To the right of the field, click + (the plus symbol).
The field will be added as a column in the results table, and listed on the left-hand side of the table within Selected Fields.
In the field list on the left-hand side of the results table, within the Selected Fields header, locate the field you'd like to remove from the results table.
To the right of the field, click - (the minus symbol).
The field's column will be removed from the results table, and listed on the left-hand side of the table within Available Fields.
Reorder the columns in the results table by clicking on a column header and dragging it to the desired position.
The results table is loaded, by default, in a compact view. This view displays all log fields, including the often sizable EVENT field, in a single row. To view the EVENT value in this view, scroll horizontally.
The results table can alternatively display logs in a detailed view. This view displays the EVENT field value in a new row below the event's other fields, with text-wrapping.
To enable detailed view, click the toggle button in the upper-right corner of the table:
It's possible to view the full event data, in JSON format, by clicking an event row. This will open a slide-out panel on the right side of the browser window.
Within the results of a Search, the Visualizations tab displays bar charts for field values, which can help provide quick insights into your data. To view these charts, click Visualizations.
How to add or remove summary charts
Add or remove visualizations for event fields using the Available Fields and Selected Fields lists on the left-hand side of the results panel. Adding or removing a field shows or hides the field both as a chart and as a column in the results table.
To add a visualization:
Within the Available Fields list, to the right of a field's name, click +.
To remove a visualization:
Within the Selected Fields list, to the right of a field's name, click –.
How to set the sort order of a chart
To sort results in ascending order (lowest to highest):
In the upper-right corner of a visualization, click the icon with an arrow pointing downward:
To sort results in descending order (highest to lowest):
In the upper-right corner of a visualization, click the icon with an arrow pointing upward:
How to expand or condense the number of values shown in a chart
To view the first 25 values in a visualization, in its lower-right corner, click Show Top 25. If there are fewer than 25 values available, the text will read Show all <number> rows instead. To view only the first five values in a visualization, in its lower-right corner, click Hide additional rows.
In the results table, locate the event row of interest, and click it.
The JSON event slide-out panel will be shown.
View the new filter expression in the search bar at the top of the window.
To refresh the search results, click Search.
In the results table, locate the event row of interest, and click it.
The JSON event slide-out panel will be shown.
In the JSON event slide-out panel, hover over the field on which you'd like to pivot.
All existing filters are replaced with a filter expression representing only the key/value you pivoted on.
To refresh the search results, click Search.
While investigating or threat hunting, it may be useful to share a Search or a results set with your team. To do this:
In the upper-right corner of the results table, click Share:
Select one of the menu options:
Copy link to view: Copies a URL to this specific Search to your clipboard.
Download CSV: Downloads a CSV of the results table.
When a search is run, a results table is displayed below a histogram visualizing the distribution of result events over time. The results table is customizable—you can as columns. Also from the results table, you can to your search, pivot, and .
You can by downloading the results table, or sharing a link to your specific search in Panther.
Search is only available to customers with a data lake. It is not available to Panther instances with an data lake.
A combination of filters: Start by making selections in the —then .
PantherFlow:
Use the table filter to narrow your search to certain tables, within the databases indicated by the .
A filter expression is a clause containing your , , or . To create filter expressions, click the Add search filter bar or use the add filter expression .
Click the Add search filter bar, or use the add filter expression .
Panther Fields: Includes (also known as p_any fields), and (p_udm fields), which are useful when searching across log types.
Multiple tables: Fields that are found in more than one log type.
See a full list of available operators on .
Learn more about using the .
You can also quickly of an initial search.
To improve search performance while using a free text filter expression, to search.
Click the Add search filter bar, or use the add filter expression .
Learn more about using the .
Using regex in Search can be powerful for dynamic text-based searches across logs. Search supports .
Click the Add search filter bar, or use the add filter expression .
To enter regex mode, use the regex .
To exit regex mode, you can repeat the same .
Learn more about using the .
The wildcard character (*) may be used as a placeholder at the beginning, middle, or end of a string or expression. The wildcard character may be used within a (only where the key has type: string and the operator is LIKE), , or .
This functionality is not available when searching with .
Make selections.
Click the Add search filter bar, or use the add filter expression .
Search parses the inputted string where there are spaces, commas, and semicolons—then detects whether each value matches a . For each detected indicator field, Search creates a . Other values remain as .
To execute a query in Search:
On the left side of the , click </> to toggle to PantherFlow mode.
If your PantherFlow query specifies a database/table, the in the upper-right corner of the Search page are ignored.
Learn how to construct a PantherFlow query in .
Note the current .
While it's possible to create a Saved Search in Search, it's not possible to schedule it (i.e., to create a ).
Creating a Saved Search means you can quickly reuse commonly run searches. Learn more on .
Create a search by following the instructions in .
The results of a Search contain a , a , and .
You can customize a search's results table by , , and columns.
You can also , , and .
You can add a column to the Search results table using the on the left-hand side of the table, or from the .
It is only possible to add nested fields to the table from the .
Only top-level fields are shown in this list. If you'd like to add a nested field to the table, you can do so from the .
While hovering over the field, click + (the plus symbol).
You can remove a column from the Search results table using the on the left-hand side of the table, from the , or from the .
While hovering over the field, click - (the minus symbol).
On the right side of the column header, click X.
To more easily view the full event data, you can use or the . An added benefit of using the slide-out panel is the ability to show or hide .
In the JSON event view, are displayed at the top of the JSON object followed by the event fields. You can hide or reveal these fields by clicking the Show Panther fields toggle.
Hovering over fields in the slide-out panel will display icons with which you can perform additional actions, like adding a filter. Learn more in .
You can also , , and .
Directly from the JSON event slide-out panel and summary charts, you can , , and .
In the JSON event slide-out panel, hover over the value you'd like to create an inclusive or exclusive filter expression for.
To create an inclusive filter, click .
To create an exclusive filter, click .
To create an inclusive filter, click .
To create an exclusive filter, click .
Click the replace icon .
Within a summary chart, hover over the value you would like to replace filter expression values with.
Click the replace icon .
In the JSON event slide-out panel, hover over the value you'd like to explore for.
Click the enrichment icon .
In the Lookup Enrichment pop-up modal, use the LOOKUP TABLE column to locate the row of the enrichment source you would like to explore, then click View JSON→.
The enrichment entry will be shown.
Within a summary chart, hover over a value for which you would like to explore .
Click the enrichment icon .
In the Lookup Enrichment pop-up modal, use the LOOKUP TABLE column to locate the row of the enrichment source you would like to explore, then click View JSON→.
The enrichment entry will be shown.
Note that the downloaded CSV file contains only the first 1,000 results. To download the full results set, use . (You can click Copy as SQL in Search to quickly recreate it in Data Explorer.)
