Query Builder
Search normalized Panther data with minimal or no SQL
Last updated
Was this helpful?
Search normalized Panther data with minimal or no SQL
Last updated
Was this helpful?
In Query Builder, you can construct a data lake query using no-code filters. This allows you to search and investigate your Panther data without extensive SQL knowledge, making it an alternative to for running queries. You can also for easy reuse.
With Query Builder, you can save time previously spent on writing SQL commands, and expand who on your team can use Panther. If you want to understand how the filters you've used to construct a query in Query Builder translate to raw SQL, Query Builder shows you the resulting SQL command—which you can then run in , if you'd like.
The Query Builder is only available to customers with a data lake. It is not available to Panther instances with an data lake.
When building a search with Query Builder, consider the following:
You can only search one table at a time. If you need to search across multiple tables, we recommend using or instead.
When adding multiple filters, the operational logic is AND.
OR filters are not currently supported.
Log in to your Panther Console.
In the left sidebar, click Investigate > Query Builder.
Use the available filters to build a query:
Date and time range
Database and Table
Filters conditions
To add filter conditions, click Add New on the right side of the Filters tile.
JSON Object paths:
To filter by JSON object paths instead of fields, click Enter Nested JSON Object Path and type or copy the path you want to filter.
Nested JSON Object filters are not data type specific. Pick the operator from the data type that matches the values in the object.
To revert to a field selection, click Use Field List.
After adding a date, database, table, and filters, use the Limit results to drop down to limit how many records are returned when the search is executed. Limiting the query will return results faster.
Panther limits the size of results to 50 by default.
After you have defined the parameters of your query, click Search to execute.
While a query is executing, you can click Cancel to cancel the search and start over.
At the bottom of the query, click Copy as SQL.
Paste the command into Data Explorer or other applications to analyze further.
Under the filters, click Save As.
A Save Query modal will pop up. Fill in the following fields:
Query Name: Add a descriptive name.
Tags (optional): Add tags to help you group related queries.
Description (optional): Describe the purpose of the query.
Click Save Query.
After creating a Saved Query in Query Builder, you can view and reuse the query. It can be opened from the Query Builder page, or from the Saved Queries page.
Log in to your Panther Console.
In the left sidebar, click Investigate > Query Builder.
In the upper right corner, click Open.
An Open a Query modal will pop up, displaying previously saved queries.
Find the query you'd like to open, select it, then click Open Query.
The Saved Query will populate in Query Builder.
You will now be on the Query Builder page, with the Saved Query populated.
Make your desired changes to the query.
Under the filters, click Update.
An Update Query modal will pop up.
Modify Query Name, Tags, or Description, if desired.
In the Update Query modal, click Update Query.
In addition to displaying query results in a table, Query Builder renders results in a histogram, as a function of time. This visualization may be useful in identifying spikes in activity, gaining insight into trends, and iteratively honing searches.
During an investigation, often particular IP addresses are identified as being of interest (e.g., a known command and control node). Once the role of an IP address is identified, isolating and explaining that activity helps indicate which resources are likely to be compromised.
Select a date range.
Select the database and table (aws_vpcflow).
Add a filter to search data relating to a specific IP address.
Field: p_any_ip_addresses
Operator: has
Value: Enter the IP address.
The root account should seldom sign into the AWS console; find all such sign-ins using Query Builder.
Select a date range.
Select the database and table (aws_cloudtrail).
Add filters to search event types and user ARN relating to root sign-ins.
Filter 1:
Field: eventType
Operator: is
Value: AwsConsoleSignin
Filter 2:
Field: useridentity.arn
Operator: like
Value: root
By default, the time range is set to the last 24 hours.
Select your data source using these drop-down menus. By default, Database is set to panther_logs.public, which includes all log data stored in the Panther data lake. You can type in the field to search values.
Multiple filters are joined by an AND clause. Query Builder does not support OR conditions.
You can filter fields using a variety of operators for each data type. For a complete list of operators and functions, refer to .
The Limit results to field at the bottom of Query Builder is visible only if you are not opted in to the . Performance improvements bundled with that feature make limiting search results no longer necessary.
Optionally, you can copy the resulting SQL from your query, for further analysis in or any other external application.
This will copy the SQL command to your clipboard. You can then paste the query into or any other external application for further analysis.
Saving the queries you create in Query Builder means you won't have to rebuild them each time you want to run them. Currently, Saved Queries created in Query Builder cannot be scheduled. Learn more about Saved Queries on .
Note that the instructions to delete a Saved Query are outlined on .
Follow the steps in to build a query.
Open a Saved Query by following the instructions in .
When executing a search with Query Builder, results will be displayed in a and a (currently in closed beta).
Query Builder and share a common results table and all the associated functionality.
You can filter Query Builder results by following the instructions in the under "Filter Data Explorer results."
You can summarize Query Builder results by following the instructions in the under "Summarize Column Data."
The Query Builder results histogram is only available to customers with a data lake. It is not available to Panther instances with an data lake.
The Query Builder histogram mirrors the one available within Indicator Search—see the to learn how to filter results by interacting with the graph.
