Alerts & Destinations
Panther detections trigger alerts on suspicious behavior
Alerts are generated when your rules, scheduled rules, or policies detect suspicious behavior. When an alert is triggered, it is routed to the appropriate Alert Destination(s) using the Alert routing scenarios.
Panther can generate three types of alerts:
- Alerts: This classification includes rule matches, policy matches, and scheduled rule matches from enabled detections.
- Detection errors: These are generated due to incorrect code or permissions issues. When this occurs, a rule returns an error and the rule does not complete its run successfully. This includes rule errors and scheduled rule errors.
- System errors: Panther's System Health notifications alert users when a part of the Panther platform is not functioning correctly. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures.
To receive alerts outside of the Panther Console, set up an alert destination and ensure it's configured to receive alerts based on the Alert routing scenarios.
When deciding how to receive an alert, consider the following options:
- Natively supported destinations: Panther supports a number of alert destinations natively, like Slack, Jira, and Amazon SNS. See the Alert Destinations documentation for a complete list of supported destinations.
- Custom Webhook: If you'd like to route alerts to a destination that is not natively supported but that has an API, you can use the Custom Webhook option to send alert notifications—see the Custom Webhook documentation for configuration instructions.
- Panther's API: If you'd like to receive Panther alerts at a destination that is not natively supported and that does not have an API, you can receive alerts by polling Panther's API for alerts on a schedule. See the available API operations for fetching and manipulating alerts on Alerts & Errors.
When you receive an alert to your configured destination, it’s time to investigate. Common investigation workflows include:
See the Investigations & Search documentation for more information on Panther’s data analysis tools.
For more information on triaging, assigning, and managing alerts, see the following documentation pages:
- Triage, use alert summaries, assign, un-assign, view alert history, and add comments to alerts.
- For many Panther-managed detections, find recommended steps to remediate the issue that triggered the alert.
- 1.Log in to your Panther Console.
- The landing page is the overview dashboard, where you can view alert metrics and a list of the alerts assigned to you. Continue on to the next steps to view a list of all alerts.
- 2.Click Alerts in the left sidebar.
- By default, this page lists alerts from most recent to oldest and displays only Open and Triaged alerts.
- 3.Filter the list as needed to narrow your results.
- 4.Click the tabs at the top of the list to filter by the alert type: Alerts, Detection Errors, or System Errors.
While viewing the list of alerts as described above, click an alert title to view the alert details page:
The alert details page includes:
- Basic information.
- This includes the detection that triggered the alert, the associated log types, the MITRE tactic, and the alert runbook.
- A list of event matches.
- For each event, you can view event time, event source, the associated
p_source_label, and IP information.
- External conversations.
- If there is additional context in a Slack Boomerang, Jira ticket, or Asana task where an alert was delivered, you can click the links in this section to view that information.
- Alert history.
- This includes a history of all status changes and comments.
- If the alert failed to deliver to one of the configured alert destinations, you will see an "Alert delivery failed" error above the history.
Each generated alert in Panther is enriched with the following timestamps:
The first time an event matched this rule
The time the event reported itself as happening
The time the event was processed by Panther
The last time an event matched this rule (in the case of deduplication)