# Panther AI and Alerts
## Overview
{% hint style="info" %}
Use of Panther AI features is subject to the [AI disclaimer found on the Legal page](https://docs.panther.com/resources/help/legal#ai-disclaimer).
{% endhint %}
While viewing alerts in your Panther Console, you can view an AI-generated triage of the alerts on your alert list page, as well as use AI alert triage to accelerate information gathering and analysis on a specific alert. When you triage one or more alerts, you will see a [Risk Classification score](https://docs.panther.com/ai/risk-scoring-and-classification-framework).
Learn more about Panther AI, including how to configure AI reasoning level, on [Panther AI](https://docs.panther.com/ai).
## Panther AI triage of alerts list
You can create AI triages when viewing the alerts list in the Panther Console. To run a new AI triage, check the box next to each alert you would like to triage, then click **Triage with AI**.
If you want to perform an investigation and analysis on a single alert, see [Panther AI alert triage](#panther-ai-alert-triage).
To view past AI triages, in the upper-right corner, click **View Multi-Alert Triage**.
In both scenarios, a slide-out panel will open with the new or most recent triage. You can click the triage title to see a list of previous AI triages and [manage your AI response history](https://docs.panther.com/ai/managing-ai-response-history).
## Panther AI alert triage
[Panther AI](https://docs.panther.com/ai) alert triage performs an investigation and analysis on an alert. It can help you gather more information about an alert and decide what to do next. You can configure AI alert triage to be [auto-run for all or some alerts](#auto-run-ai-alert-triage), or [run it on demand](#run-ai-alert-triage-on-demand). [Watch a full video demo of AI alert triage here](https://docs.panther.com/examples#ai-alert-triage).
AI alert triage may provide a summary of the alert, judgement on whether the alert is a false or true positive, recommended follow-up actions, and an indication of its confidence level. The Panther AI analysis of certain alerts may include a diagram visualizing Panther AI's "thought process" and/or the events that led to the alert. The analysis will include [citations](https://docs.panther.com/ai/..#citations-and-fact-checking) to Panther entities (such as alerts, detections, and searches) when appropriate.
{% hint style="info" %}
It's recommended to provide a descriptive `runbook` on your detection, as Panther AI will read and autonomously execute it during alert triage. [Learn how to write a Panther AI-friendly `runbook` here](https://docs.panther.com/alerts/alert-runbooks#tips-for-writing-an-effective-runbook).
[See a demo of a detection `runbook` affecting AI alert triage here](https://docs.panther.com/examples#using-a-detection-runbook-to-direct-ai-alert-triage).
{% endhint %}
Learn how Panther AI handles write operations, including which tools it requires human approval for, in [Tool approval for write operations](https://docs.panther.com/ai/..#tool-approval).
If you have a [Slack Bot Alert Destination](https://docs.panther.com/alerts/destinations/slack-bot) set up, you can [configure it to receive AI triage content](https://docs.panther.com/alerts/alert-management/slack#ai-alert-triage-sync).
Learn more about Panther AI, including how to [configure AI reasoning level](https://docs.panther.com/ai/..#ai-prompt-settings) and manage AI responses, on [Panther AI](https://docs.panther.com/ai) and [Managing Panther AI Response History](https://docs.panther.com/ai/managing-ai-response-history).
### Auto-run AI alert triage
{% hint style="warning" %}
Auto-run AI triage is only available to [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) customers and [SaaS](https://docs.panther.com/system-configuration/panther-deployment-types/saas) customers with pass-through billing.
{% endhint %}
It's possible to configure AI alert triage to be run automatically when an alert is generated, meaning when you view an alert, you won't have to run the triage yourself and wait for results.
You can enable auto-run AI triage for all alerts, or only for alerts that have certain severities and/or tags. [Learn more about how to set this criteria on System Configuration](https://docs.panther.com/system-configuration#panther-ai).
The [reasoning level](https://docs.panther.com/ai/..#reasoning-level) of auto-run AI triages for alerts triggered by a certain detection can be set by adding one of the following tags to the detection:
* `ai:output:short`
* `ai:output:medium`
* `ai:output:long`
{% hint style="info" %}
If auto-run AI alert triage is not running autonomously as expected (or there are errors in the output), you may need to [request an increase for Amazon Bedrock quotas](https://docs.panther.com/ai/..#amazon-bedrock-service-quotas).
{% endhint %}
#### Auto-triage permissions and run-as configuration
By default, auto-run AI alert triage executes with system-level permissions. However, administrators with the **AI Run As** permission can configure auto-triage to run as a specific user or API token instead. This provides several benefits:
* **Scoped permissions**: Limit what data and tools the AI can access during auto-triage by running as a user with restricted permissions
* **Audit trail**: Auto-triage actions are associated with the specified run-as user rather than the system
* **Consistency**: Ensure predictable permission levels across all auto-triage executions
When a run-as user is configured, the AI alert triage will only be able to access log types, alerts, and detections that the run-as user's role permits. If the run-as user's account is deleted or disabled, auto-triage will be suspended until a valid run-as user is configured or the setting is cleared to restore system-level execution.
#### Delay auto-run AI alert triage
By default, AI alert triage runs as soon as an alert is created. However, data from different sources can arrive with varying latencies, so running immediately may cause the AI analysis to miss relevant context that becomes available shortly after. Adding a delay tag to a detection gives time for all related data to arrive before AI alert triage begins.
Add a tag to the detection with the format `ai:delay:`, where `` is a time value. For example:
* `ai:delay:30s` — delays AI alert triage by 30 seconds
* `ai:delay:1m` — delays AI alert triage by 1 minute
* `ai:delay:10m` — delays AI alert triage by 10 minutes
When you add a delay tag, Panther AI waits for the specified duration before invoking AI alert triage. The minimum delay is 1 second, and the maximum delay is 30 days. If multiple `ai:delay` tags are present on a detection, the first one is used.
{% hint style="info" %}
Delay tags can be combined with `ai:output:*` reasoning level tags on the same detection. For example, a detection with both `ai:delay:5m` and `ai:output:long` will wait 5 minutes before running an advanced-level AI alert triage.
{% endhint %}
### Run AI alert triage on demand
To run Panther AI triage on an alert:
1. On an alert detail page, click **Start Panther AI Triage**.
* If you have already run AI alert triage for this alert, click **View Panther AI Triage**.
* A slide-out panel will appear, where Panther AI will output its findings:
2. (Optional) In the prompt box at the top of the slide-out panel, ask follow-up questions or direct Panther AI to take some action on the alert. These prompts and their responses are preserved in the [AI response history](https://docs.panther.com/ai/managing-ai-response-history). For example:
* `How should I tune the detection that triggered this alert?`
* Asking Panther AI to tune a detection typically yields the best result when the [reasoning level](https://docs.panther.com/ai/..#reasoning-level) setting is **Advanced**.
* `Did this user take any other action in AWS an hour before or after this event?`
* `Update this alert's status to "Invalid" and leave a comment saying "False positive."`\
3. (Optional) Under **Next Steps**, click one of the action buttons:\
* **Add triage summary as alert comment (will not close alert)**:
* Creates a comment containing a high-level alert summary in the alert's **Activity** log.
* (If the alert's status is **Open** or **Triaged**) **Close alert, comment and mark as Resolved**:
* Updates the alert status to **Resolved**. This is recorded in the alert's **Activity** log.
* Creates a comment containing a high-level alert summary in the alert's **Activity** log.
* If the **Assign alert to me upon closing** toggle is set to `ON`, the alert assignee will be set as you. This is recorded in the alert's **Activity** log.
* (If the alert's status is **Open** or **Triaged**) **Close alert, comment and mark as Invalid**:
* Updates the alert status to **Invalid**. This is recorded in the alert's **Activity** log.
* Creates a comment containing a high-level alert summary in the alert's **Activity** log.
* If the **Assign alert to me upon closing** toggle is set to `ON`, the alert assignee will be set as you. This is recorded in the alert's **Activity** log.\
### Auto-resolve alerts based on risk score
{% hint style="info" %}
Auto-resolving alerts based on risk score is in closed beta starting with Panther version 1.119. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}
When auto-run AI alert triage is enabled, Panther AI assigns a risk classification score to each alert it triages. You can configure Panther AI to automatically resolve alerts whose risk score falls at or below a threshold you define.
This is useful for reducing alert fatigue by automatically closing alerts that Panther AI determines to be low-risk, while still preserving a full audit trail of the decision.
#### Configuring auto-resolve
{% hint style="info" %}
Auto-resolve requires **Auto-run AI Triage on Alerts** to be enabled, since alerts must first be triaged by Panther AI to receive a risk score.
{% endhint %}
To configure auto-resolve:
1. In the upper-right corner of your Panther Console, click the gear icon (**Settings**) > **Panther AI**.
2. Click the **Alert Triage** tab.
3. Set the **Auto-resolve Based on Risk Score** toggle to `ON`.
4. Set the **Risk score Threshold** using the slider. The slider displays three zones:
* **Benign** (green): Scores in this range indicate low-risk alerts. This is the recommended range for the threshold.
* **Inconclusive** (yellow): Scores in this range indicate uncertain risk. Setting the threshold in this range will show a warning.
* **Risky** (red): Scores in this range indicate high-risk alerts. The threshold cannot be set in this range.
5. (Optional) Select one or more **Alert Severities** to restrict auto-resolve to alerts of those severities.
6. (Optional) Enter one or more **Detection Tags** to restrict auto-resolve to alerts triggered by detections with at least one of those tags.
Learn more about the auto-resolve settings in [System Configuration](https://docs.panther.com/system-configuration#alert-triage).
#### How auto-resolve works
1. An alert is generated and auto-run AI triage runs on it.
2. Panther AI produces a risk classification score ranging from -1 (most benign) to +1 (most risky).
3. If auto-resolve is enabled and the alert passes your configured filters (severity and/or detection tags), the risk score is compared against your threshold.
4. If the risk score is at or below the threshold, Panther AI:
* Updates the alert status to **Resolved**.
* Adds a comment to the alert's **Activity** log with the risk classification, score, threshold, and a summary of the AI analysis.
* Applies a context tag indicating the risk classification (e.g., `ai_risk_benign`).
* Records an audit log entry for the auto-resolve action.
