Indicator Search
Use Indicator Search in Panther to run investigations on common indicators across data sources
Last updated
Was this helpful?
Use Indicator Search in Panther to run investigations on common indicators across data sources
Last updated
Was this helpful?
Indicator Search lets you quickly search across your ingested data for common indicators, , without writing SQL.
You can also use Indicator Search's functionality to search for any field key/value pair, across all your various log sources. With Simple Search, only matches from log sources containing the exact field name searched will be returned.
Access to the Indicator Search can be limited through the system.
In the left-hand navigation bar of your Panther Console, click Investigate > Indicator Search.
In the Filter dropdown, choose the set of data you'd like to search over:
All Data
Specific Data (Faster)
Copy and paste indicator(s) into the search field.
The search will find all connected events associated with the indicators in the specified time range.
You can mix types of indicators (e.g., IP addresses, domain names, ARNs, file hashes). If you enter multiple indicators or indicator types, the search will execute with an OR condition - for example, indicator 1 OR indicator 2.
If you chose the Specific Data (Faster) option in the Filter dropdown, enter values for the following fields:
Search Specific Databases (optional): Select one or more databases your search will be limited to.
Search Specific Tables (optional): Select one or more tables your search will be limited to.
Select a time range.
A timeline histogram shows the concentration of events over the specified time interval.
You can drill down into specific events by pivoting into the Data Explorer with prebuilt SQL queries. Find additional indicators in the Data Explorer and perform another search to gain additional context about the attack.
Continue to pivot through your data to map the entire attacker footprint.
The Indicator Search includes a Field selector, where you can choose the log field containing the indicator you're searching for.
Auto Detect Type is the default value for the Field selector. If Auto Detect Type is used, the structure of the indicators entered will be analyzed for type identification (to decipher that they're, for example, IP addresses or AWS ARNs), and the corresponding p_any_ field will be searched. If the indicators do not have a structure that makes their type identifiable (e.g., usernames), then all fields that could match will be searched.
If you are searching for indicators that span multiple field types (say for a domain name and an ARN), Auto Detect Type must be used.
Fields you might search with Simple Search, however, have not been mapped to corresponding fields (with different syntax) in different log sources—meaning only matches from log sources containing the exact field name searched will be returned. For example, if one of your log sources (log source A) has a field named best_skateboarders and another log source (log source B) has a field named best_skateboarders_ever and you search best_skateboarders='Tony Hawk', only log source A's events will be searched for instances of Tony Hawk.
Take the following Data Explorer results, from which a quick Indicator Search was run:
Selecting View in Indicator Search brings you to Indicator Search, where you will see the the following inputs:
A typical workflow looks like the following:
Execute a search.
In the results section, hover over the histogram bars to see the count of events for a specific period.
If you'd like to explore your Indicator Search results further, transfer the query to Data Explorer by clicking the share icon in any of the "Total Hits" tiles below the histogram chart, or scroll down below the histogram chart and click Open in Data Explorer.
To access Indicator Search from the event JSON on an alert details page or in Data Explorer results:
Click the magnifying glass icon to search.
p_any_ fieldTake, for example, the below snippet of JSON from a log event associated with an alert. Notice how access_device.hostname and p_any_domain_names both have a value of DESKTOP-OG33GT1.
Choose a Field to search. Learn more about the .
Click the magnifying glass icon to search.
Another Field option is Simple Search. Simple Search lets you search for any field name and value pair (beyond the standardized ), across all logs. When using Simple Search, the format of the search input must be <attribute path>='<attribute value>'. All logs with <attribute path> will be searched for <attribute value>.
A Simple Search is created when you pivot on a non-p_any_ JSON event field, as is shown in the example below. To learn more about which log field to pivot from, see .
You can use the Indicator Search timeline histogram to switch from a more general view of the results to a more specific view. This makes it easy to instantly shift from an overview of events to a more detailed and granular view within the same dataset. This same histogram is available when viewing .
Click a histogram bar to search for events over that specific time period.
After clicking on the histogram bar, a new tab will open containing detailed results for the time period you selected. You can continue clicking on histogram bars in each new tab to drill down further.
The page will open with a pre-populated SQL query.
Indicator Search can also be accessed from the Events tab of an alert details page, or from results. This makes it easy to quickly pivot off a value in an event. Note that pivoting off a p_any_ field will leverage the standardized , while pivoting off a non-p_any_ field will create a .
Hover over any field value in the JSON and click the search icon that appears:
Select the date range you would like to search against:
The search will return hits of your searched value across all log types. You can investigate these events further by clicking on a tile, which will redirect you to the Data Explorer, or View in Indicator Search, which will redirect you to Indicator Search.
As log events from a certain source are ingested, the values of the fields marked as indicators in its schema will be extracted into the corresponding p_any_ fields (as designated in the schema's field). The original log field and the appended associated p_any_ field will then have the same value, visible in the event's JSON.
Pivoting on the lower p_any_domain_names field (by hovering over it, clicking the magnifying glass, then clicking View in Indicator Search), will result in a pre-populated Indicator Search with DESKTOP-OG33GT1 in the search bar and selected in the Field dropdown. Auto Detect Type will determine that DESKTOP-OG33GT1 is a domain name. Executing this search will scan the p_any_domain_names field of all logs, across sources, for DESKTOP-OG33GT1 .
Alternatively, pivoting on the original field, access_device.hostname (by hovering over it, clicking the magnifying glass, then clicking View in Indicator Search), will result in an Indicator Search using . Executing this search will scan all logs containing an access_device.hostname field for DESKTOP-OG33GT1. Logs from other sources with fields that might contain hostname values, but that don't have the exact access_device.hostname syntax (say they, for example, use device.hostname), will not be searched for DESKTOP-OG33GT1, nor returned in the results set.
The for DESKTOP-OG33GT1 is therefore limited in scope compared to the search leveraging Panther's . For this reason, it's recommended to pivot on p_any_ fields, when possible.
