TL;DR

When a security breach occurs with potentially major consequences, one of the best things that can be done is to split the problem into several smaller pieces until the root causes are known. You can't see fine-grained patterns when looking at an aggregation of a week's worth of events. You need a mechanism to zoom in to smaller time increments until you can see emerging patterns in datasets. This is where techniques like the Indicator Search drill down shine.

About the Indicator Search Drill Down

Before we jump into the new features, let’s take a step back to briefly cover what the Indicator Search is and how it helps with investigations.

Our Indicator Search feature makes it easy to perform lightning-fast searches across all collected logs for IOCs such as IP addresses, domains, hashes, and more. With the Indicator Search, you can quickly baseline behaviors, correlate suspicious activity across systems, and kickstart security investigations against terabytes of normalized log data. You canlearn more about this feature here.

Whenever an investigation is performed using the Indicator Search, your data is grouped by time intervals and presented in a histogram showing the concentration of events over the specified time interval. The time interval or granularity used to bucket the events across the time dimension depends on the date range selected when the search was initiated. Based on the search criteria, time granularity can vary from weeks, days, hours, down to minutes—the more you narrow down the date range, the better the resolution you’ll get.

Some examples:

• Search more than a month → weekly resolution

• Search anywhere between a day and a month → daily resolution

• Search for a time period of up to a day → hourly resolution

How Indicator Search Drill Down Works

With the Indicator Search Drill Down, you can now dive deeper into the aggregated data in your visualizations to instantly shift from a top-level view to a more detailed and granular view within the Indicator Search results. We’re excited to deliver this new capability to make incident investigations easier and faster for our customers.

Now that you’re familiar with the Indicator Search algorithm and how it groups data under the hood, let’s see how you can leverage the panning & drill down features to walk through different levels of granularity until you get enough context about a security breach.

1. Start your investigation with the attacker's IP address

2. Search for all associated events in the last month

3. Scroll through the events until you find an intriguing hit

4. Analyze the histogram to clearly understand when the breach occurred

5. Drill down on any date to get a more detailed view of the results

6. Continue to pan & drill down until you have enough context about the attack

Get Started Today

Not using Panther yet?  Request a demo to learn how Panther can help you build a world-class detection and response program.