# Indicator Search

## Overview

Indicator Search lets you quickly search across your ingested data for common indicators, [Panther’s standardized Indicator Fields](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/panther-fields#indicator-fields), without writing SQL.

You can also use Indicator Search's [Simple Search](#simple-search) functionality to search for *any* field key/value pair, across all your various log sources. With Simple Search, only matches from log sources containing the exact field name searched will be returned.

Access to the Indicator Search can be limited through the [Role-Based Access Control](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/system-configuration/rbac) system.

### Indicator Search overview video

{% embed url="<https://panther.wistia.com/medias/4wws551iym>" %}
Indicator Search overview
{% endembed %}

## How to use Indicator Search

1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Indicator Search**.
2. In the **Filter** dropdown, choose the set of data you'd like to search over:
   * &#x20;**All Data**
   * **Specific Data (Faster)**
3. Copy and paste indicator(s) into the search field.
   * The search will find all connected events associated with the indicators in the specified time range.
   * You can mix types of indicators (e.g., IP addresses, domain names, ARNs, file hashes). If you enter multiple indicators or indicator types, the search will execute with an `OR` condition - for example, indicator 1 OR indicator 2.
4. If you chose the **Specific Data (Faster)** option in the **Filter** dropdown, enter values for the following fields:

   1. **Search Specific Databases (optional)**: Select one or more databases your search will be limited to.
   2. **Search Specific Tables (optional)**: Select one or more tables your search will be limited to.

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FjvddrOakXX47AMRErwPg%2FindicatSear.png?alt=media&#x26;token=a0510b01-5f9f-48d6-8cc1-fe03c3abcc8d" alt="" width="563"><figcaption></figcaption></figure>
5. Choose a **Field** to search. Learn more about the [**Field** selector below](#field-selection).
6. Select a time range.
7. Click the magnifying glass icon to search.\
   ![The image shows the full results page after performing an Indicator Search.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FtfA2wpTE7tgKvU1VweZc%2Findicator-search.png?alt=media\&token=6b871f69-7f89-4fb7-8f94-ee1b674e2c8b)<br>

A timeline histogram shows the concentration of events over the specified time interval.

You can drill down into specific events by pivoting into the Data Explorer with prebuilt SQL queries. Find additional indicators in the Data Explorer and perform another search to gain additional context about the attack.

Continue to pivot through your data to map the entire attacker footprint.

### Field selection

The Indicator Search includes a **Field** selector, where you can choose the log field containing the indicator you're searching for.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FDMlHhq7QxDkON0mri0Kr%2FScreenshot%202023-02-28%20at%201.48.01%20PM.png?alt=media&#x26;token=c0f20a45-dfcc-4cd7-b9a5-49a4df3e716b" alt="The Indicator Search page is shown, which contains the following fields: a textfield to enter your indicators to search for, a &#x22;Field&#x22; field, where you pick the type of data, e.g. Auto Detect Type, Simple Search, Aws Account Ids, etc."><figcaption></figcaption></figure>

#### Auto Detect Type

**Auto Detect Type** is the default value for the **Field** selector. If **Auto Detect Type** is used, the structure of the indicators entered will be analyzed for type identification (to decipher that they're, for example, IP addresses or AWS ARNs), and the corresponding `p_any_` field will be searched. If the indicators do not have a structure that makes their type identifiable (e.g., usernames), then *all* fields that *could* match will be searched.

If you are searching for indicators that span multiple field types (say for a domain name *and* an ARN), **Auto Detect Type** must be used.

{% hint style="info" %}
When searching for indicators that do not have a unique structure, such as usernames, it's more efficient to choose the relevant type from the **Field** dropdown, than to use **Auto Detect Type**. By picking the specific type, Panther's search is limited to the associated `p_any_` field, rather than searching *all* fields that *could* match.
{% endhint %}

#### Simple Search

Another **Field** option is **Simple Search**. Simple Search lets you search for any field name and value pair (beyond the standardized [Indicator Fields](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/panther-fields#indicator-fields)), across all logs. When using Simple Search, the format of the search input must be `<attribute path>='<attribute value>'`.  All logs with `<attribute path>` will be searched for `<attribute value>`.&#x20;

Fields you might search with Simple Search, however, have not been mapped to corresponding fields (with different syntax) in different log sources—meaning only matches from log sources containing the exact field name searched will be returned. For example, if one of your log sources (log source A) has a field named `best_skateboarders` and another log source (log source B) has a field named `best_skateboarders_ever` and you search `best_skateboarders='Tony Hawk'`, only log source A's events will be searched for instances of Tony Hawk.

A Simple Search is created when you pivot on a non-`p_any_` JSON event field, as is shown in the example below. To learn more about which log field to pivot from, see [Pivoting on a regular field vs. its `p_any_` field](#pivoting-on-a-regular-field-vs.-its-p_any_-field).

#### Example

Take the following Data Explorer results, from which a quick Indicator Search was run:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FCGPHFOwTIiXBMhwu8DbO%2FactionName.png?alt=media&#x26;token=a1239593-d5fd-415e-97cc-1f5a0ca191a5" alt="From Data Explorer results, a quick Indicator Search was run on a field called actionName with a value of GET_ORGANIZATION_METRICS. A daterange is set, and 344 hits were found. There is a link at the bottom that says View in Indicator Search."><figcaption></figcaption></figure>

Selecting **View in Indicator Search** brings you to Indicator Search, where you will see the the following inputs:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FUbP5cIZWjB3qlOqIdgn0%2FScreenshot%202023-02-28%20at%202.21.39%20PM.png?alt=media&#x26;token=1cf86e03-bbb5-4ada-adf1-e457c7347d35" alt="On the Indicator Search page, in the indicator search field, is actionName=&#x27;GET_ORGANIZATION_METRICS&#x27;. In the Field selector, Simple Search has been selected."><figcaption></figcaption></figure>

### Drill Down

You can use the Indicator Search timeline histogram to switch from a more general view of the results to a more specific view. This makes it easy to instantly shift from an overview of events to a more detailed and granular view within the same dataset. This same histogram is available when viewing [Query Builder results](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/query-builder#query-builder-results-histogram).

A typical workflow looks like the following:

1. Execute a search.
2. In the results section, hover over the histogram bars to see the count of events for a specific period.
3. Click a histogram bar to search for events over that specific time period.\
   ![The image shows the Indicator Search results page. An arrow points at a bar in a histogram chart, and the time range of the result is circled by a dashed line.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FsYzZ270m1M6VUYvAgEFH%2Fquickly-search-indicators.png?alt=media\&token=54a0cdf5-c14e-4ab0-ae38-aa46247f1914)
4. After clicking on the histogram bar, a new tab will open containing detailed results for the time period you selected. You can continue clicking on histogram bars in each new tab to drill down further.\
   ![The image shows three separate screens where each subsequent search drills down further into the data.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FCWTwBQTW8YxCITRfvDQ7%2Fdrill-down.png?alt=media\&token=a425d292-09b4-47d3-8569-c2094a44dba0)
5. If you'd like to explore your Indicator Search results further, transfer the query to Data Explorer by clicking the share icon in any of the "Total Hits" tiles below the histogram chart, or scroll down below the histogram chart and click **Open in Data Explorer**.&#x20;
   * The page will open with a pre-populated SQL query.\
     ![The image shows Data Explorer with a SQL query in the New Query code box.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FVkpeZoKUWO4xOaxfstbb%2Fdata-explorer-indicator-query.png?alt=media\&token=11445ca0-9d8f-4445-b759-8736bef22c17)

### Pivoting

Indicator Search can also be accessed from the **Events** tab of an alert details page, or from [Data Explorer](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/search/data-explorer) results. This makes it easy to quickly pivot off a value in an event. Note that pivoting off a `p_any_` field will leverage the standardized [Indicator Fields](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/panther-fields#indicator-fields), while pivoting off a non-`p_any_` field will create a [Simple Search](#simple-search).

To access Indicator Search from the event JSON on an alert details page or in Data Explorer results:

1. Hover over any field value in the JSON and click the search icon that appears:\
   ![The image shows a magnifying glass icon circled next to an indicator.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fg5uWt9o4c3jnTgB7CZhv%2Fsearch-icon.png?alt=media\&token=7c81611c-a3f1-41e4-8589-f6af974a255e)
2. Select the date range you would like to search against:\
   ![The image shows a date range selected, and a blue search button next to the date range fields. The screen displays a message that says "Nothing searched yet." ](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FfVSvfSEZFScVWNJ9ZPXC%2Fsearch-indicator-date.png?alt=media\&token=bfa9f3e6-d74a-4328-b859-6ce1f5cab933)
3. Click the magnifying glass icon to search.
   * The search will return hits of your searched value across all log types. You can investigate these events further by clicking on a tile, which will redirect you to the Data Explorer, or **View in Indicator Search**, which will redirect you to Indicator Search.\
     ![Results from an Indicator Search initiated by a magnifying glass click are shown. Arrows point to a results tile as well as the View in Indicator Search link.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FxNfp4JBqpNjfs76UWqbv%2FScreenshot%202023-03-02%20at%204.44.44%20PM.png?alt=media\&token=d666593d-7b1b-410e-88c6-96b58bf23dfd)

#### Pivoting on a regular field vs. its `p_any_` field

As log events from a certain source are ingested, the values of the fields marked as indicators in its schema will be extracted into the corresponding `p_any_` fields (as designated in the schema's [`indicators`](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/custom-log-types/reference#indicators) field). The original log field and the appended associated `p_any_` field will then have the same value, visible in the event's JSON.

Take, for example, the below snippet of JSON from a log event associated with an alert. Notice how `access_device.hostname` and `p_any_domain_names` both have a value of `DESKTOP-OG33GT1`.

![A snippet of JSON from a log event is shown, with fields like access\_device (with sub fields like hostname and ip), application, auth\_device, and p\_any\_domain\_names](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FCgn0s2qnkwNlwdqA6yAR%2FScreenshot%202023-03-07%20at%205.52.34%20PM.png?alt=media\&token=cae1793c-2f64-485e-be57-4a25dc7f33bb)

Pivoting on the lower `p_any_domain_names` field (by hovering over it, clicking the magnifying glass, then clicking **View in Indicator Search**), will result in a pre-populated Indicator Search with `DESKTOP-OG33GT1` in the search bar and [**Auto Detect Type**](#auto-detect-type) selected in the Field dropdown. **Auto Detect Type** will determine that `DESKTOP-OG33GT1` is a domain name. Executing this search will scan the `p_any_domain_names` field of all logs, across sources, for `DESKTOP-OG33GT1` .&#x20;

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2F79dyJBiydPw3KW8dLz7m%2FScreenshot%202023-03-07%20at%205.58.11%20PM.png?alt=media&#x26;token=ae5da4f1-df78-4f9b-b56a-9c50f59e36c6" alt="Indicator Search&#x27;s input fields are shown. In the main search bar is DESKTOP-OG33GT1, and the Field dropdown has Auto Detect Type selected"><figcaption></figcaption></figure>

Alternatively, pivoting on the original field, `access_device.hostname` (by hovering over it, clicking the magnifying glass, then clicking **View in Indicator Search**), will result in an Indicator Search using [Simple Search](#simple-search). Executing this search will scan all logs containing an `access_device.hostname` field for `DESKTOP-OG33GT1`. Logs from other sources with fields that might contain hostname values, but that don't have the exact `access_device.hostname` syntax (say they, for example, use `device.hostname`), will not be searched for `DESKTOP-OG33GT1`, nor returned in the results set.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FXXgM8FOK0iMwZkVxaXFG%2FScreenshot%202023-03-07%20at%205.57.32%20PM.png?alt=media&#x26;token=b0444458-11c9-4ffc-80ae-004dbf28a0f3" alt="Indicator Search&#x27;s input fields are shown. In the main search bar is access_device.hostname = &#x27;DESKTOP-OG33GT1&#x27; and in the Field selector, Simple Search has been chosen"><figcaption></figcaption></figure>

The [Simple Search](#simple-search) for `DESKTOP-OG33GT1` is therefore limited in scope compared to the [Auto Detect Type](#auto-detect-type) search leveraging Panther's [Indicator Fields](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/panther-fields#indicator-fields).  For this reason, it's recommended to pivot on `p_any_` fields, when possible.&#x20;