Threat Hunting in Panther

Overview

While there is no one-size-fits-all formula for threat hunting in your SIEM, the techniques described on this page may be helpful in deciding how to start an investigation. After receiving an alert, you may want to start by viewing the Panther AI triage, run suggested follow-up prompts, and/or pivot around your data. In certain cases, you may need to search for a value across all your logs in Panther.

How to start searching after receiving an alert

You've received a Panther alert identifying potentially malicious behavior—now you need to learn more about the activity to understand whether the alert is a true positive.

From the alert details page in the Panther Console, you can take the actions below.

View the Panther AI alert triage

From the Panther AI alert triage summary, you can examine the queries Panther AI ran and/or prompt it to investigate further:

• View queries Panther AI ran during triage.

  • Panther AI may run queries to collect data it deems useful during its initial investigation. These are formatted as citations.

  • The query results will be incorporated into the overall AI triage summary, but if you'd like to see them yourself (and use the query as a starting point for pivots), you can click a query citation to be taken to Search, where the query will execute.

    
• Prompt Panther AI to generate a search.

  • Use natural language to prompt Panther AI to run a search, and/or select, from the initial AI triage, one of the Recommended Follow Up AI Prompts—see the Running an AI-suggested follow-up prompt to alert triage example.

Run the provided PantherFlow Investigation query

In certain Panther-managed detections, the alerts are generated with a PantherFlow Investigation alert context field. (This is generated using the pantherflow_investigation() helper.) You can copy this query and run it in Search.

Pivot on an indicator value

To pivot on an indicator value, from an event associated with the alert, locate a p_any field (also known as an indicator field). Hover over a value and click the magnifying glass icon (with the tooltip Indicator Search):

You'll be taken to Search where a search for that value (in the relevant indicator field) across all logs will execute:

Search alert events

In the Event section, click Search Events. You'll be taken to Search where you'll see the events associated to the alert. From there, you can pivot around your data to investigate further.

How to best search for a value across all your logs in Panther

There are two common scenarios when searching for a value across all your logs in Panther:

• (Recommended) Performing an indicator search

• Performing a full text search

Indicator searches are recommended when possible, as they search across significantly less data and are therefore more efficient. In both scenarios, however, there are recommendations for how to best search.

Performing an indicator search

Performing an indicator search means searching for a value only in a specific indicator field (also known as a p_any field) across all logs. This type of search is possible if you know the value you're searching for has been extracted into a p_any field (i.e., your log schemas properly designate fields as indicators).

It is not required to know which indicator field the value would be found in, as Search filter chips can auto-detect the correct field.

You can execute an indicator search in Panther in the following ways:

• In Search (using filter chips or PantherFlow)

• Using the GraphQL API

• With Panther AI

(Recommended) Performing an indicator search in Search using filter chips

You can execute an indicator search in Search, using filter chips, in the following ways:

• When you know which indicator field the value would be found in: with the database and table filters set to Logs and All tables, respectively, create a key/value filter expression, where the key is an indicator field.

  • In the example below, AWS ARNs is the Console-friendly alias for p_any_aws_arns.

    
• When you don't know which indicator field the value would be found in: when entering the value in a filter chip, select auto-detect. In the example below, Search would detect that T1234 is a MITRE ATT&CK technique and search for the value only in p_any_mitre_attack_techniques.

  

  • You can also paste in a list of Indicators of Compromise (IoCs) and select auto-detect, and Search will automatically map each value to an indicator field, where possible.

Performing an indicator search in Search using PantherFlow

To execute an indicator search using PantherFlow, use the union operator to join all tables, then a where clause to limit the search to a specific indicator field.

Learn more in Use p_any fields.

Example searching all logs:

Performing an indicator search using the GraphQL API

Use the executeIndicatorSearchQuery GraphQL API mutation.

See an example here.

Performing an indicator search using Panther AI

In a Panther AI entry point, prompt it in natural language to run a search. The correct data search and analysis tool and indicator field will automatically be chosen.

For example, if you entered Find all logs where the IP XXX.XXX.XXX.XXX is present, Panther AI would search for XXX.XXX.XXX.XXX across p_any_ip_addresses.

Performing a full text search

A full text search means you're searching for a value across all columns in one or more tables in one or more databases.

You can execute a full text search in Panther in the following ways:

• In Search, using filter chips

• In Search, using PantherFlow

Performing a full text search in Search using filter chips

To perform a full text search with filter chips in Search, create a free text filter expression.

When entering a value, do not select the auto-detect option.

Performing a full text search in Search using PantherFlow

To search across all logs in PantherFlow, use the union operator:

It's recommended to improve query efficiency by following the principles in PantherFlow Best Practices.