Knowledge Base Community Release Notes Training Videos Request Demo

Search

Construct a data query without writing SQL

Overview

Search is in open beta starting with Panther version 1.85, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

In the Search tool in Panther, you can search across all of your data—including log events, rule matches, and more—without writing SQL. Use dropdown fields to create filter expressions, which contain your search logic, free search terms, or match patterns.

Filter expressions can be constructed in different ways: as key/value pairs, a free text search, or a regular expression search. Each of these can also use wildcard characters. You can combine different types of filter expressions in one search.

When a search is run, a results table is displayed below a histogram visualizing the distribution of result events over time. The results table is customizable—you can add or remove event fields as columns. Also from the results table, you can add inclusive/exclusive filters to your search, pivot, and look up related enrichment data. You can collaborate with your team by downloading the results table, or sharing a link to your specific search in Panther.

Search is only available to customers with a Snowflake data lake. It is not available to Panther instances with an Athena data lake.

Limitations of Search

The Search tool currently has the following limitations:

  • With multiple filter expressions, only AND logic is supported.

  • Grouping filter expressions is not supported.

How to use Search

You can effectively search your data using a combination of filters. Start by making selections in the database, table, and date range filters—then create your own filter expressions.

Using database, table, and date range filters

Use the database, table, and date range filters to narrow the scope of your search. Using these controls is optional, but can significantly improve search performance when searching over large data sets. Learn more about each of these filters below.

Database filter

Use the database filter to narrow your search to certain databases, such as only Logs or Rule Matches.

The default value of this filter is Logs. The options contained in the database filter are:

  • Rule Matches

  • Logs

  • Lookups

  • Monitor

  • Cloud Security

  • Rule Errors

Table filter

Use the table filter to narrow your search to certain tables, within the databases indicated by the database filter.

The default value of this filter is All tables, which includes all tables for each included database. You can narrow the search by selecting only certain tables in this dropdown.

Date range filter

Use the date range filter to narrow your search to a certain period of time.

The default value of this filter is Last 24 hours. You can use the date range picker to set a custom date and time range, or select one of the preset relative options on the left-hand side.

Creating filter expressions

A filter expression is a clause containing your key/value search logic, free search terms, or match patterns. To create filter expressions, click the Add query filter bar or use the command + / keyboard shortcut.

Key/value filter expression

With a key/value filter expression, you will select an event key and provide a value (if necessary).

To create a key/value filter expression:

  1. Click the Add query filter bar, or press command+/.

  2. Select an event key from the dropdown list. The dropdown menu contains options grouped into the following categories:

    • All remaining tables with a matching field(s) are displayed in alphabetical order.

  3. Select an operator (also known as a condition) from the dropdown menu.

    • The dropdown options will be limited to those applicable to the selected field's data type.

    • See a full list of available operators on Search Filter Operators.

  4. Enter a value, if the selected operator requires one.

  5. If you would like to create another filter expression, click outside the expression you just created (but within the search bar), or press TAB.

    • If you are ready to execute your search, click Search or press ENTER.

Free text filter expression

In a free text filter expression, you will enter a string.

Free text filter expressions search every field in every event (within the database, table, and date constraints), including fields nested in complex objects.

To increase search performance, select a subset of tables to search.

To create a free text filter expression:

  1. Click the Add query filter bar, or press command+/.

  2. Enter the text value.

  3. If you would like to create another filter expression, click outside the expression you just created (but within the search bar), or press TAB.

    • If you are ready to execute your search, click Search or press ENTER.

Regular expression (regex) filter expression

Using regex in Search can be powerful for dynamic text-based searches across logs. Learn more about the re2 syntax for regular expressions here.

To create a regex filter expression:

  1. Click the Add query filter bar, or press command+/.

  2. Press command+/ to enter into regex mode.

    • To exit regex mode, you can press command+/ again.

  3. Enter the regular expression you wish to search, e.g., .*aws:.*admin.*.

  4. If you would like to create another filter expression, click outside the expression you just created (but within the search bar), or press TAB.

    • If you are ready to execute your search, click Search or press ENTER.

Using wildcards in filter expressions

The wildcard character (*) may be used as a placeholder at the beginning, middle, or end of a string or expression. The wildcard character may be used within a key/value filter expression (only where the key has type: string and the operator is LIKE), free text filter expression, or regex filter expression.

Where the wildcard character is positioned affects which data is returned as a match:

  • Beginning: Any character(s) at or preceding the * are considered a match.

  • Middle: Any character(s) at the * are considered a match.

  • End: Any character(s) at or following the * are considered a match.

Creating a Saved Search

Creating a Saved Search means you can quickly reuse commonly run searches. Learn more on Saved and Scheduled Searches.

To create a Saved Search:

  1. Create a search by following the instructions in How to use Search.

  2. Under the Add query filter box, click Save As.

  3. Enter values for the fields in the popup modal:

    • Query Name: Add a descriptive name.

    • Tags (optional): Add tags. Tags can be helpful to group related searches.

    • Description (optional): Describe the purpose of the search.

  4. Click Save Search.

    • See the next section to learn how to open and reuse Saved Searches.

Open and reuse a Saved Search in the Search tool

After creating a Saved Search in the Search tool, you can view and reuse it. It can be opened from the Search page, or from the Saved Searches page.

Open a Saved Search from the Search page:

  1. In the left-hand navigation bar of your Panther Console, click Investigate > Search.

  2. In the upper right corner, click the three dots icon, then Open Saved Search.

    • An Open a Search modal will pop up, displaying previously saved search.

  3. Find the search you'd like to open, select it, then click Open Search.

    • The Saved Search will populate in Search.

Working with Search results

Search results histogram

The results histogram displays the distribution of events within the search's date and time window, to help immediately contextualize results. To zoom in or out of a particular segment of time, click and drag the ends of the bar beneath the histogram.

Interacting with the histogram

To see additional data insights into the counts by log type for any of the time periods, hover over a bar within the chart.

To create a new search (in a new browser tab) with a time period set to that of one of the histogram bars, click the bar.

Adding, removing, and reordering fields in the results table

You can customize a search's results table by adding, removing, and reordering columns.

How to add a column in the Search results table

You can add a column to the Search results table using the Available Fields list on the left-hand side of the table, or from the JSON event view.

It is only possible to add nested fields to the table from the JSON event view.

Add a column to the Search results table from the Available Fields list

  1. In the field list on the left-hand side of the results table, within the Available Fields header, locate the column you'd like to add to the results table.

    • Only top-level fields are shown in this list. If you'd like to add a nested field to the table, you can do so from the JSON event view.

  2. To the right of the field, click + (the plus symbol).

    • The field will be added as a column in the results table, and listed on the left-hand side of the table within Selected Fields.

How to remove a column in the Search results table

You can remove a column from the Search results table using the Selected Fields list on the left-hand side of the table, from the JSON event view, or from the table header row.

Remove a column from the Search results table from the Selected Fields list

  1. In the field list on the left-hand side of the results table, within the Selected Fields header, locate the field you'd like to remove from the results table.

  2. To the right of the field, click - (the minus symbol).

    • The field's column will be removed from the results table, and listed on the left-hand side of the table within Available Fields.

How to reorder columns in the Search results table

  • Reorder the columns in the results table by clicking on a column header and dragging it to the desired position.

Iterating on a Search

Interact with the search results table or JSON event view to include, exclude, or pivot on a field within your filter expression.

How to create an inclusive or exclusive filter expression from a result event

The same ability to create include or exclude filters is available from within the JSON event view, when hovering over a field.

  1. In the results table, hover over the value you'd like to create an inclusive or exclusive filter expression for.

    • To create an inclusive filter, click + (the plus symbol).

    • To create an exclusive filter, click - (the minus symbol).

  2. View the new filter expression in the search bar at the top of the window.

  3. To refresh the search results, click Search.

How to replace values in filter expressions with a result event value

  1. In the results table, locate the event row of interest, and click it.

    • The JSON event slide-out panel will be shown.

  2. In the JSON event slide-out panel, hover over the field on which you'd like to pivot.

    • All existing filters are replaced with a filter expression representing only the key/value you pivoted on.

  4. To refresh the search results, click Search.

Sharing a Search

While investigating or threat hunting, it may be useful to share a Search or a results set with your team. To do this:

  1. In the upper-right corner of the results table, click Share:

  2. Select one of the menu options:

    • Copy link to view: Copies a URL to this specific Search to your clipboard.

    • Download CSV: Downloads a CSV of the results table.

PreviousInvestigations & SearchNextSearch Filter Operators

Last updated

Change request #1924: [don't merge until ~Oct] Notion Logs (Beta)