Panther AI Workflow Examples

Overview

The videos on this page demonstrate common Panther AI workflows. For the best viewing experience, it's recommended to click Watch on Youtube in the bottom-left corner of each video, or view them in full-screen mode.

Using Panther AI with alerts

Running AI alert triage

In the following example of alert triage, Panther AI:

• Gathers context by reading the alert, associated detection (including its Python code), alerts generated by the detection over the last seven days, and all alerts over the last 24 hours

• Analyzes data

• May gather additional context by using other tools (such as the enrichmentTool) and executing data lake queries

Running an AI-suggested follow-up prompt to alert triage

• In this example, after AI alert triage is run, the user clicks on one of the options in the Recommended Follow Up AI Prompts section.

Aggregating multiple AI responses for an overall report

In the Running an AI-suggested follow-up prompt to alert triage example above, after the initial AI alert triage is generated, we click on a suggested follow-up prompt to explore adjacent concerns. The second response is related to the first as a "child" response.

When you either click suggested follow-up prompts or type your own, the responses (the initial triage and follow-up responses) are aware of one another. This allows you to ask questions about the responses themselves, such as to combine them into a comprehensive report.

For example, consider this initial AI alert triage:

After exploring suggested prompts and asking custom follow-up questions, the response history list looks like:

If we click the initial alert triage response (the parent response) and enter:

Summarize all the related AI responses into a short report.

We'll see something like this ALB Web Scanning Investigation Summary:

Opening the Analysis contained in the summary, Panther AI demonstrates it is reading all related responses:

Using a detection runbook to direct AI alert triage

During alert triage, Panther AI is directed to read instructions from the alert runbook. You can leverage this to instruct Panther AI to perform specific tasks when triaging an alert.

For example, as a runbook value, you might enter:

• "Run the saved query called "Okta Historical Profile" for the user in the events as context."

• "Search over all logs for activity from the clientIP over the last week as context."

• "Always add a comment to the alert with a summary."

In the below example, to demonstrate that Panther AI takes a detection's runbook into account during alert triage, we added the following to the runbook:

Before your analysis report, add a summary in the form of a limerick.

We can see a limerick in the response:

Generating an AI summary of alerts list

• In the example below, Panther AI summarizes the recent alerts on the alert list page.

Visualizing an attack from the alerts list

In the example below, the alerts related to a specific attack (generated via adversary emulation) were selected from the alerts list page, then an AI summary was generated.

In the prompt bar of the resulting AI summary, we entered, Visualize the attack using a flow chart. Analyze all supporting data for these alerts.:

In response, Panther AI generates a diagram of the attack chain:

Using Panther AI to search indicators

It's common to receive Indicators of Compromise (IoCs) from threat intelligence reports, such as malicious IP addresses, and ask "Have I seen any of these values in my logs?"

Threat hunting for IoCs is simple if your search returns no results; however, when IoCs are found, the process can be time consuming because the activity requires vetting. Instead of manually searching your data lake, you can ask Panther AI to summarize recent activity.

Using Panther AI with Search and detections

Search results AI summarization

• In the example below, Panther AI performs Search results summarization for recent AWS Application Load Balancer (ALB) events.

Detection writing from Search results

• After Panther AI performs Search results summarization for events representing potentially malicious activity, Panther AI creates a detection with unit tests.

Using Panther AI with Saved Searches

Writing and saving SQL queries for reuse

In the example below, Panther AI is prompted to write and name a SQL query (or Saved Search) to be used in the future (by humans and Panther AI). The prompt is:

Please write a SQL query to calculate the top 10 IP addresses over a week of data in ALB logs. Save the query with the name "Top 10 IP Addresses in ALB." Add a note for Panther AI in the description to visualize the results when running the query.

Running and editing saved SQL queries

• In this example, Panther AI is asked to run a named Saved Search (but with modifications requiring SQL changes), enrich each IP address, and visualize the result.