Simplifying Search with Query Builder


Searching security data is a key function of a SIEM. With the introduction of Query Builder, security teams can access their data quickly and effectively, regardless of their technical skill set.

Search is Central to SIEM Functionality

A foundational function of a Security Information and Event Management tool is to centralize and store security-relevant information. Once said information is housed in a single place, a variety of security analytics use cases are unlocked. 

However, when placing data into storage somewhere, a key requirement is effectively finding it again. No one wants to meander the digital version of the halls at the end of Indiana Jones.

To illustrate some underlying use cases for searching data in a SIEM, here are some examples:

  • Onboarding New Data: Search logs to confirm the correct parsing of fields.
  • Creation of Detections: Search logs or past alerts for behavioral patterns.
  • Pivoting from Alerts: Triage alerts to understand if this is an incident.
  • Full-Blown Investigation: Create an exhaustive record of all past actions taken by a set of users within the timeframe of the incident. 

It’s easy to see that querying logs is a key component in a large swath of security team responsibilities – from initial data ingestion through investigation and response.

Given the wide variety of jobs to be done by querying logs, it also makes sense that every role on a security team gets their hands dirty searching the data. In some cases, a task may be done by a senior security engineer, but in others, a job might be done by a junior analyst. In order to perform their basic responsibilities, all security team members need to be able to construct queries quickly and effectively.

The Power of SQL

Panther has traditionally supported search via our Indicator Search or Data Explorer features. Data Explorer is particularly popular with technical users as it enables robust SQL queries of the underlying security data lake.

SQL is powerful for a few reasons. To start, it’s a well-documented language that generalizes outside of security to many other querying use cases. Secondarily, it also enables highly granular queries that can get at the nuance of specific targets in detection logic or during investigations. The Panther documentation includes some examples of basic SQL queries, but also more advanced SQL queries associated with detecting complex behaviors. When reviewing large and complex data sets, SQL is incredibly useful.

Introducing: The Query Builder

However, not all security team members are familiar with SQL, and even if they are, sometimes remembering the correct syntax can slow down even cursory searches. Therefore, in order to expand the search capabilities in Panther and make it easier for anyone to perform queries, we’re announcing our new Query Builder

The Query Builder is a feature that enables and unblocks. An easy analogy would be automatic transmission in a car. There are still folks that prefer the power and nuance of manual – but by providing automatic transmission, more people can have a great experience behind the wheel.

Screenshot of the query builder showing a query being constructed with a date range, searching the panther_audit table, and testing the field
Fill in the form to build a query of security data

The Query Builder enables users to select a time range, pick a relevant database and table, and filter the data further by a particular field. The results appear in the same way they would if a user queried the data with SQL. 

The Query Builder accomplishes two key functions. First, it accelerates searching data for technical folks who don’t want to type out or remember the syntax for common queries. Sure, there will be cases when a SQL query is going to be the best bet for getting nuanced results. But, there will also be cases when searching via a couple of clicks makes more sense. 

Second, it also opens up the search experience to security professionals unfamiliar with SQL – enabling them to answer key questions about data quality or alert context via the intuitive form builder.

Screenshot showing results being returned in 983ms with a table of JSON results
Consistent search results experience across Panther

In addition to the search functionality, a powerful component of the Query Builder is the “Copy as SQL” button. This feature enables a translation between the Query Builder’s form logic directly to the associated SQL query. The Copy as SQL button is valuable for two key reasons. For one, by using the Query Builder but then copying SQL over to the Data Explorer, a technical user can easily add to or customize a query built with a click or two.

Screenshot of the previous query shown as SQL
Easily translate Query Builder searches into SQL

Additionally, for security team members looking to learn SQL on the job – and perhaps advance to a more technical role – this button provides nice support. They can now not only build queries, but also copy them over to the Data Explorer to see just how the logic they’ve implemented is expressed in SQL. Just like a traveler looking to learn the language in a new country, having a handy pocket dictionary helps bridge the communication gap. Hopefully, the Query Builder will help teams uplevel their skills – giving them the ability to use the power of SQL when it makes sense.

Conclusion: The Power of SQL, Made Simple

Seamlessly searching security data is a key requirement for all security teams. With the release of the Query Builder, Panther is committing to making search easy for teams of all technical abilities. Moreover, we’re looking to connect the search experiences in a way that facilitates on-the-job exploration of a powerful language like SQL.

For the SQL savvy, we hope Query Builder accelerates some of your searches. For the uninitiated, we hope the Query Builder provides a stepping stone to learning a valuable new skill.  If you’d like to search some data with Query Builder – you can request a demo.

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo