Links

Search

Search normalized Panther data with minimal or no SQL

Overview

In Search, you can construct a data lake query using no-code filters. This allows you to search and investigate your Panther data without extensive SQL knowledge, making it an alternative to Data Explorer for running queries. You can also save the queries you create in Search for easy reuse.
With Search, you can save time previously spent on writing SQL commands, and expand who on your team can use Panther. If you want to understand how the filters you've used to construct a query in Search translate to raw SQL, Search shows you the resulting SQL command—which you can then run in Data Explorer, if you'd like.
Search is only available to customers with a Snowflake data lake. It is not available to Panther instances with an Athena data lake.

How to use Search in Panther

Search considerations

When building a search with Search, consider the following:
  • You can only search one table at a time. If you need to search across multiple tables, we recommend using Indicator Search or Data Explorer instead.
  • When adding multiple filters, the operational logic is AND.
    • OR filters are not currently supported.
  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar, click Investigate > Search.

Step 2: Apply filters

Use the available filters to build a query:
  • Date and time range
    • By default, the time range is set to the last 24 hours.
  • Database and Table
    • Select your data source using these drop-down menus. By default, Database is set to panther_logs.public, which includes all log data stored in the Panther data lake. You can type in the field to search values.
  • Filters conditions
    • To add filter conditions, click Add New on the right side of the Filters tile.
    • Multiple filters are joined by an AND clause. Search does not support OR conditions.
    • You can filter fields using a variety of operators for each data type. For a complete list of operators and functions, refer to Search Filter Operators.
    • JSON Object paths:
      • To filter by JSON object paths instead of fields, click Enter Nested JSON Object Path and type or copy the path you want to filter.
      • Nested JSON Object filters are not data type specific. Pick the operator from the data type that matches the values in the object.
        • To revert to a field selection, click Use Field List.
The Limit results to field at the bottom of Search is visible only if you are not opted in to the results histogram closed beta. Performance improvements bundled with that feature make limiting search results no longer necessary.
After adding a date, database, table, and filters, use the Limit results to drop down to limit how many records are returned when the search is executed. Limiting the query will return results faster.
Panther limits the size of results to 50 by default.
  • After you have defined the parameters of your query, click Search to execute.
While a query is executing, you can click Cancel to cancel the search and start over.

Copy as SQL

Optionally, you can copy the resulting SQL from your query, for further analysis in Data Explorer or any other external application.
  1. 1.
    At the bottom of the query, click Copy as SQL.
    • This will copy the SQL command to your clipboard. You can then paste the query into Data Explorer or any other external application for further analysis.
  2. 2.
    Paste the command into Data Explorer or other applications to analyze further.
SELECT
p_event_time as p_timeline,
*
FROM
panther_logs.public.aws_alb
WHERE
(type = 'https' AND clientPort = 45705) AND p_occurs_between('2023-01-16 20:22:56Z','2023-01-17 20:22:56.219Z')
ORDER by p_event_time ASC
LIMIT 50
Saving the queries you create in Search means you won't have to rebuild them each time you want to run them. Currently, Saved Queries created in Search cannot be scheduled. Learn more about Saved Queries on Saved and Scheduled Queries.
Note that the instructions to delete a Saved Query are outlined on Saved and Scheduled Queries.
  1. 1.
    Follow the steps in How to use Search to build a query.
  2. 2.
    Under the filters, click Save As.
    The Filters section of the Query Builder is shown. Below it are "Copy as SQL," "Save As," and "Search" buttons
  3. 3.
    A Save Query modal will pop up. Fill in the following fields:
    • Query Name: Add a descriptive name.
    • Tags (optional): Add tags to help you group related queries.
    • Description (optional): Describe the purpose of the query.
  4. 4.
    Click Save Query.
After creating a Saved Query in Search, you can view and reuse the query. It can be opened from the Search page, or from the Saved Queries page.
From the Search page
From the Saved Queries page

Open a Saved Query from the Search page:

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar, click Investigate > Search.
  3. 3.
    In the upper right corner, click Open.
    • An Open a Query modal will pop up, displaying previously saved queries.
  4. 4.
    Find the query you'd like to open, select it, then click Open Query.
    • The Saved Query will populate in Search.

Open a Saved Query from the Saved Queries page:

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar, click Investigate > Saved Queries.
  3. 3.
    Find the query you'd like to open, utilizing the search bar and Filters at the top, if necessary.
  4. 4.
    In the top right corner of the query's tile, click the three dots icon.
  5. 5.
    Click View in Search.
    • You will be redirected to Search, where the Saved Query will populate.
  1. 1.
    Open a Saved Query by following the instructions in Open and reuse a Saved Query in Search.
    • You will now be on the Search page, with the Saved Query populated.
  2. 2.
    Make your desired changes to the query.
  3. 3.
    Under the filters, click Update.
    The Filters section of the Query Builder is shown. Below it are "Copy as SQL," "Save As," and "Search" buttons
    • An Update Query modal will pop up.
      • Modify Query Name, Tags, or Description, if desired.
  4. 4.
    In the Update Query modal, click Update Query.

Work with Search results

When executing a search with Search, results will be displayed in a table and a histogram (currently in closed beta).

Search results table

Search and Data Explorer share a common results table and all the associated functionality.

Search results histogram

The Search results histogram is only available to customers with a Snowflake data lake. It is not available to Panther instances with an Athena data lake.
In addition to displaying query results in a table, Search renders results in a histogram, as a function of time. This visualization may be useful in identifying spikes in activity, gaining insight into trends, and iteratively honing searches.
The Search histogram mirrors the one available within Indicator Search—see the Drill Down instructions to learn how to filter results by interacting with the graph.
In the Results tab of Query Builder, a histogram is shown. Above the graph is "Events over 2023-05-07 21:59 UTC - 2023-05-08 21:59 UTC." The histogram is a series of purple bars in a row, at varying heights. One bar has been hovered over, and event counts specific to that time period are shown in a pop up rectangle.

Search examples

Show VPCFlow log activity for an IP address

During an investigation, often particular IP addresses are identified as being of interest (e.g., a known command and control node). Once the role of an IP address is identified, isolating and explaining that activity helps indicate which resources are likely to be compromised.
  1. 1.
    Select a date range.
  2. 2.
    Select the database and table (aws_vpcflow).
  3. 3.
    Add a filter to search data relating to a specific IP address.
    • Field: p_any_ip_addresses
    • Operator: has
    • Value: Enter the IP address.

Find all console "root" sign-ins in CloudTrail

The root account should seldom sign into the AWS console; find all such sign-ins using Search.
  1. 1.
    Select a date range.
  2. 2.
    Select the database and table (aws_cloudtrail).
  3. 3.
    Add filters to search event types and user ARN relating to root sign-ins.
    • Filter 1:
      • Field: eventType
      • Operator: is
      • Value: AwsConsoleSignin
    • Filter 2:
      • Field: useridentity.arn
      • Operator: like
      • Value: root

Reference