How do I get indicator search results via the GraphQL API when looking for an indicator field that has been ingested by a custom schema?

To enable indicator search functionality via Panther's GraphQL API for custom schemas, you need to properly declare indicator fields using the indicators attribute in your schema definition.

If the indicator fields have been declared as expected, then when you first run the API operation IssueIndicatorSearchQuery and then execute the API operation QueryResults to retrieve the results of the first query, you will get results back.

Here's how to configure your custom schema to work with indicator searches:

Declare Indicator Fields

In your custom schema definition, add the indicators attribute to the field that contains the indicator value. For example, to declare a field that contains SHA256 hashes:

- name: field_name

type: string

indicators: [sha256]

Important Notes

• After modifying a schema to add indicator declarations, only newly ingested data will include the indicator fields

• When properly configured, Panther will automatically add the corresponding p_any_* fields (like p_any_sha256_hashes) to your logs

For more information about indicator fields and their types, see Panther's Indicator Fields documentation.