Investigations & Search
Using Panther's search tools to run queries and search your normalized log data
Overview
Panther's data analysis tools enable you to search collected and normalized log data in your security data lake. You can quickly dig across log sources with Indicator Search, construct a search using Query Builder, or investigate robustly using SQL in Data Explorer.
As data is ingested into Panther, it is parsed and normalized, then stored in Snowflake. This is necessary for conducting investigations on historical data, as well as for writing rules, identifying baseline behaviors, and generating analytics.
Getting started searching your data in Panther
Determine where to start investigating
Your team has received an alert and it's time to investigate—but where should you start?
Indicator Search is the best place to start investigating if your search includes Panther's common indicators, or if you'd like to run a simple field name/value search across all log sources.
Query Builder is a good place to start if you have limited SQL knowledge, as it allows you to construct a query without SQL syntax. After creating your query, you're able to copy the SQL command generated for analysis in Data Explorer or external applications.
Data Explorer is the best place to start if you're conducting a complex or highly customized search—for example, you'd like to join database tables or control which fields are returned by adding additional clauses.
Starting with Indicator Search
Indicator Search can run quick investigations on Panther's standardized Indicator fields across all logs monitored by Panther, as well as simple field name/value searches across all logs, with Simple Search.
With Indicator Search, you can answer common questions about suspicious activity without writing SQL, and view results in a simple visualization. Indicator Search also includes features that allow you to quickly drill down into a more granular view of the data, as well as pivot off any JSON event field.
See the instructions or overview video on Indicator Search to get started.
Starting with Query Builder
In Query Builder, you can construct a data query using filters instead of SQL syntax. You'll be prompted to choose from dropdown selector fields to indicate which table you'd like to examine—from there, you can add filters to narrow your search to only, say, results where field_xyz
is
some_specific_value
.
Find out how to build your first query in the Query Builder documentation.
Starting with Data Explorer
In Data Explorer, you can write and execute SQL queries (with autocompletion) to search across your data, including log data, rule matches, and Panther's Standard Fields. You can also save and schedule queries, retrieve JSON rows to use as unit test events, download results in a CSV, and share the query and results with your team using a unique URL.
You can use Data Explorer by navigating there directly, or by starting in Indicator Search, where you are given the option to Open in Data Explorer, or in Query Builder, where you can copy your generated SQL, then take it to Data Explorer.
See the Data Explorer documentation to get started.
Panther's investigation and search features
In addition to Query Builder, Indicator Search, and Data Explorer, Panther offers other features that allow you to quickly and efficiently search your data. Expand the boxes below to learn more.
Example queries
Panther offers common use cases and example queries you may want to run while investigating suspicious activities in your logs:
Available databases
For a list of databases that are available for analysis in Panther, see Data Lakes.
Troubleshooting Panther's search tools
Visit the Panther Knowledge Base to view articles about analyzing data that answer frequently asked questions and help you resolve common errors and issues.
Last updated
Was this helpful?