Investigations & Search
Using Panther's search tools to run queries and search your normalized log data
Last updated
Was this helpful?
Using Panther's search tools to run queries and search your normalized log data
Last updated
Was this helpful?
Panther's data analysis tools enable you to search collected and normalized log data in your security data lake. You can search across logs (and without SQL) using Search, or investigate robustly using SQL in .
As data is ingested into Panther, it is parsed and normalized, then stored in Snowflake. This is necessary for conducting investigations on historical data, as well as for writing rules, identifying baseline behaviors, and generating analytics.
Your team has received an alert and it's time to investigate—but where should you start?
Search is a good place to start if you have limited SQL knowledge, as it allows you to construct a query without SQL syntax. After creating your search, you're able to copy the SQL command generated for analysis in Data Explorer or external applications.
Data Explorer is the best place to start if you're conducting a complex or highly customized search—for example, you'd like to join database tables or control which fields are returned by adding additional clauses.
In Search, you can construct a data query using filters instead of SQL syntax. You'll be prompted to choose from dropdown selector fields to indicate which table you'd like to examine—from there, you can add filters to narrow your search to only, say, results where field_xyz is some_specific_value.
Find out how to build your first search in the .
In Data Explorer, you can write and execute SQL queries (with autocompletion) to search across your data, including log data, rule matches, and Panther's . You can also save and schedule queries, create for reuse, retrieve JSON rows to use as unit test events, download results in a CSV, and share the query and results with your team using a unique URL.
You can use Data Explorer by navigating there directly, or by starting in Search, where you can copy your generated SQL, then take it to Data Explorer.
In addition to Search and Data Explorer, Panther offers other features that allow you to quickly and efficiently search your data. Expand the boxes below to learn more.
Panther offers common use cases and example searches you may want to run while investigating suspicious activities in your logs:
For a list of databases that are available for analysis in Panther, see Data Lakes.
Get started with the .
Panther's log analysis applies normalization fields (IPs, domains, etc) to all log records. These fields standardize names for attributes across all data sources enabling fast and easy data correlation. For more information, see .
Panther's Scheduled Searches are Saved Searches that have been configured to run on a schedule. They can be associated to Scheduled Rules, which allows you to use the data returned from the search as event input to the rule, as opposed to streaming in real-time data. As a Scheduled Search runs, if a corresponding returns any hits, one or more Alerts will be generated from the data and dispatched accordingly.
For more information, see .
The Search History page displays the last 30 days of searches run in the Panther Console. Clicking on the search name will direct you to or where you can see the results and rerun the search. You can also cancel a running search. For more information, see .
Visit the Panther Knowledge Base to that answer frequently asked questions and help you resolve common errors and issues.