search
Knowledge BaseRelease NotesRequest Demo

Panther AI and Alerts

Using Panther AI with alerts

hashtag
Overview

circle-info

Use of Panther AI features is subject to the AI disclaimer found on the Legal page.

While viewing alerts in your Panther Console, you can view an AI-generated triage of the alerts on your alert list page, as well as use AI alert triage to accelerate information gathering and analysis on a specific alert. When you triage one or more alerts, you will see a Risk Classification score.

Learn more about Panther AI, including how to configure AI reasoning level, on Panther AI.

hashtag
Panther AI triage of alerts list

You can create AI triages when viewing the alerts list in the Panther Console. To run a new AI triage, check the box next to each alert you would like to triage, then click Triage with AI.

If you want to perform an investigation and analysis on a single alert, see Panther AI alert triage.

Panther Console alert list page with an arrow pointing to Triage with AI button

To view past AI triages, in the upper-right corner, click View Multi-Alert Triage.

Panther Console alert list page with arrow pointing to View AI Summaries

In both scenarios, a slide-out panel will open with the new or most recent triage. You can click the triage title to see a list of previous AI triages and manage your AI response history.

hashtag
Panther AI alert triage

Panther AI alert triage performs an investigation and analysis on an alert. It can help you gather more information about an alert and decide what to do next. You can configure AI alert triage to be auto-run for all or some alerts, or run it on demand. Watch a full video demo of AI alert triage here.

AI alert triage may provide a summary of the alert, judgement on whether the alert is a false or true positive, recommended follow-up actions, and an indication of its confidence level. The Panther AI analysis of certain alerts may include a diagram visualizing Panther AI's "thought process" and/or the events that led to the alert. The analysis will include citations to Panther entities (such as alerts, detections, and searches) when appropriate.

circle-info

It's recommended to provide a descriptive runbook on your detection, as Panther AI will read and autonomously execute it during alert triage. Learn how to write a Panther AI-friendly runbook here.

See a demo of a detection runbook affecting AI alert triage here.

Learn how Panther AI handles write operations, including which tools it requires human approval for, in Tool approval for write operations.

If you have a Slack Bot Alert Destination set up, you can configure it to receive AI triage content.

Learn more about Panther AI, including how to configure AI reasoning level and manage AI responses, on Panther AI and Managing Panther AI Response History.

hashtag
Auto-run AI alert triage

circle-exclamation

Auto-run AI triage is only available to Cloud Connected customers and SaaS customers with pass-through billing.

It's possible to configure AI alert triage to be run automatically when an alert is generated, meaning when you view an alert, you won't have to run the triage yourself and wait for results.

You can enable auto-run AI triage for all alerts, or only for alerts that have certain severities and/or tags. Learn more about how to set this criteria on System Configuration.

The reasoning level of auto-run AI triages for alerts triggered by a certain detection can be set by adding one of the following tags to the detection:

  • ai:output:short

  • ai:output:medium

  • ai:output:long

circle-info

If auto-run AI alert triage is not running autonomously as expected (or there are errors in the output), you may need to request an increase for Amazon Bedrock quotas.

hashtag
Delay auto-run AI alert triage

By default, AI alert triage runs as soon as an alert is created. However, data from different sources can arrive with varying latencies, so running immediately may cause the AI analysis to miss relevant context that becomes available shortly after. Adding a delay tag to a detection gives time for all related data to arrive before AI alert triage begins.

Add a tag to the detection with the format ai:delay:<duration>, where <duration> is a time value. For example:

  • ai:delay:30s — delays AI alert triage by 30 seconds

  • ai:delay:1m — delays AI alert triage by 1 minute

  • ai:delay:10m — delays AI alert triage by 10 minutes

When you add a delay tag, Panther AI waits for the specified duration before invoking AI alert triage. The minimum delay is 1 second, and the maximum delay is 30 days. If multiple ai:delay tags are present on a detection, the first one is used.

circle-info

Delay tags can be combined with ai:output:* reasoning level tags on the same detection. For example, a detection with both ai:delay:5m and ai:output:long will wait 5 minutes before running an advanced-level AI alert triage.

hashtag
Run AI alert triage on demand

To run Panther AI triage on an alert:

  1. On an alert detail page, click Start Panther AI Triage.

    • If you have already run AI alert triage for this alert, click View Panther AI Triage.

      On a page titled "Panos Test: User PSAKKOS logged in without MFA" a button labeled "Start Panther AI Triage" is circled.

    • A slide-out panel will appear, where Panther AI will output its findings:

    On the right side is a slide-out panel titled "ALB Web Scanning Analysis." Below, there are various sections, like Summary, Key Findings, and Security Implications.

  2. (Optional) In the prompt box at the top of the slide-out panel, ask follow-up questions or direct Panther AI to take some action on the alert. These prompts and their responses are preserved in the AI response history. For example:

    • How should I tune the detection that triggered this alert?

      • Asking Panther AI to tune a detection typically yields the best result when the reasoning level setting is Advanced.

    • Did this user take any other action in AWS an hour before or after this event?

    • Update this alert's status to "Invalid" and leave a comment saying "False positive."

  3. (Optional) Under Next Steps, click one of the action buttons:

    • Add triage summary as alert comment (will not close alert):

      • Creates a comment containing a high-level alert summary in the alert's Activity log.

    • (If the alert's status is Open or Triaged) Close alert, comment and mark as Resolved:

      • Updates the alert status to Resolved. This is recorded in the alert's Activity log.

      • Creates a comment containing a high-level alert summary in the alert's Activity log.

      • If the Assign alert to me upon closing toggle is set to ON, the alert assignee will be set as you. This is recorded in the alert's Activity log.

    • (If the alert's status is Open or Triaged) Close alert, comment and mark as Invalid:

      • Updates the alert status to Invalid. This is recorded in the alert's Activity log.

      • Creates a comment containing a high-level alert summary in the alert's Activity log.

      • If the Assign alert to me upon closing toggle is set to ON, the alert assignee will be set as you. This is recorded in the alert's Activity log. Under an "Activity" title, there is a text box and three comments with a circle around them.

hashtag
Auto-resolve alerts based on risk score

circle-info

Auto-resolving alerts based on risk score is in closed beta starting with Panther version 1.119. Please share any bug reports and feature requests with your Panther support team.

When auto-run AI alert triage is enabled, Panther AI assigns a risk classification score to each alert it triages. You can configure Panther AI to automatically resolve alerts whose risk score falls at or below a threshold you define.

This is useful for reducing alert fatigue by automatically closing alerts that Panther AI determines to be low-risk, while still preserving a full audit trail of the decision.

hashtag
Configuring auto-resolve

circle-info

Auto-resolve requires Auto-run AI Triage on Alerts to be enabled, since alerts must first be triaged by Panther AI to receive a risk score.

To configure auto-resolve:

  1. In the upper-right corner of your Panther Console, click the gear icon (Settings) > Panther AI.

  2. Click the Alert Triage tab.

  3. Set the Auto-resolve Based on Risk Score toggle to ON.

  4. Set the Risk score Threshold using the slider. The slider displays three zones:

    • Benign (green): Scores in this range indicate low-risk alerts. This is the recommended range for the threshold.

    • Inconclusive (yellow): Scores in this range indicate uncertain risk. Setting the threshold in this range will show a warning.

    • Risky (red): Scores in this range indicate high-risk alerts. The threshold cannot be set in this range.

  5. (Optional) Select one or more Alert Severities to restrict auto-resolve to alerts of those severities.

  6. (Optional) Enter one or more Detection Tags to restrict auto-resolve to alerts triggered by detections with at least one of those tags.

Learn more about the auto-resolve settings in System Configuration.

hashtag
How auto-resolve works

  1. An alert is generated and auto-run AI triage runs on it.

  2. Panther AI produces a risk classification score ranging from -1 (most benign) to +1 (most risky).

  3. If auto-resolve is enabled and the alert passes your configured filters (severity and/or detection tags), the risk score is compared against your threshold.

  4. If the risk score is at or below the threshold, Panther AI:

    • Updates the alert status to Resolved.

    • Adds a comment to the alert's Activity log with the risk classification, score, threshold, and a summary of the AI analysis.

    • Applies a context tag indicating the risk classification (e.g., ai_risk_benign).

    • Records an audit log entry for the auto-resolve action.

PreviousManaging Panther AI Response HistoryNextPanther AI Workflow Examples

Last updated

Was this helpful?