Panther AI Workflow Examples

Videos and images of Panther AI in action

Overview

The videos on this page demonstrate common Panther AI workflows. For the best viewing experience, it's recommended to click Watch on Youtube in the bottom-left corner of each video, or view them in full-screen mode.

Using Panther AI with alerts

Running AI alert triage

In the following example of alert triage, Panther AI:

  • Gathers context by reading the alert, associated detection (including its Python code), alerts generated by the detection over the last seven days, and all alerts over the last 24 hours

  • Analyzes data

  • May gather additional context by using other tools (such as the enrichmentTool) and executing data lake queries

Running an AI-suggested follow-up prompt to alert triage

  • In this example, after AI alert triage is run, the user clicks on one of the options in the Recommended Follow Up AI Prompts section.

Aggregating multiple AI responses for an overall report

In the Running an AI-suggested follow-up prompt to alert triage example above, after the initial AI alert triage is generated, we click on a suggested follow-up prompt to explore adjacent concerns. The second response is related to the first as a "child" response.

When you either click suggested follow-up prompts or type your own, the responses (the initial triage and follow-up responses) are aware of one another. This allows you to ask questions about the responses themselves, such as to combine them into a comprehensive report.

For example, consider this initial AI alert triage:

Under an "ALB Web Scanning" header is a Panther AI prompt box, followed by Summary and Key Findings sections.

After exploring suggested prompts and asking custom follow-up questions, the response history list looks like:

Under an "AI Triage History" header, there is a sub-header labeled "Today." Under it is a table with six entries.

If we click the initial alert triage response (the parent response) and enter:

Summarize all the related AI responses into a short report.

Under an "ALB Web Scanning" header is a Panther AI prompt bar and sections titled "Summary" and "Key Findings."

We'll see something like this ALB Web Scanning Investigation Summary:

Under an "ALB Web Scanning Investigation Summary" header are various sub-headers, including "Overview," "Key Findings," and "Risk Assessment."

Opening the Analysis contained in the summary, Panther AI demonstrates it is reading all related responses:

There is an "Analysis" header with a "Thinking steps" sub-header.

Using a detection runbook to direct AI alert triage

During alert triage, Panther AI is directed to read instructions from the associated detection's runbook field. You can leverage this to instruct Panther AI to perform specific tasks when triaging an alert.

For example, as a runbook value, you might enter:

  • "Run the saved query called "Okta Historical Profile" for the user in the events as context."

  • "Search over all logs for activity from the clientIP over the last week as context."

  • "Always add a comment to the alert with a summary."

In the below example, to demonstrate that Panther AI takes a detection's runbook into account during alert triage, we added the following to the runbook:

Before your analysis report, add a summary in the form of a limerick.

We can see a limerick in the response:

Under an "ALB Web Scanning Analysis" title are various sections with text under them, such as "Summary" and "Key Findings."

Generating an AI summary of alerts list

Visualizing an attack from the alerts list

In the example below, the alerts list page was filtered to display only alerts related to a specific attack. (This attack was generated via adversary emulation.)

In the prompt bar, we entered, Visualize the attack using a flow chart. Analyze all supporting data for these alerts.:

A prompt bar is shown above a block of text output containing Summary and Key Finding sections.

In response, Panther AI generates a diagram of the attack chain:

A diagram of an attack chain in shown, with a number of boxes and arrows. Boxes contain text such as "Defense Evasion" and "Impact & Exfiltration."

Using Panther AI with Search and detections

Search results AI summarization

Detection writing from Search results

  • After Panther AI performs Search results summarization for events representing potentially malicious activity, Panther AI creates a detection with unit tests.

Using Panther AI with Saved Searches

Writing and saving SQL queries for reuse

In the example below, Panther AI is prompted to write and name a SQL query (or Saved Search) to be used in the future (by humans and Panther AI). The prompt is:

Please write a SQL query to calculate the top 10 IP addresses over a week of data in ALB logs. Save the query with the name "Top 10 IP Addresses in ALB." Add a note for Panther AI in the description to visualize the results when running the query.

The Panther AI Overview dashboard entry point is in closed beta starting with Panther version 1.113. Please share any bug reports and feature requests with your Panther support team.

Running and editing saved SQL queries

  • In this example, Panther AI is asked to run a named Saved Search (but with modifications requiring SQL changes), enrich each IP address, and visualize the result.

The Panther AI Overview dashboard entry point is in closed beta starting with Panther version 1.113. Please share any bug reports and feature requests with your Panther support team.

Last updated

Was this helpful?