Links

Alerts & Destinations

Panther detections trigger alerts on suspicious behavior

Overview

Alerts are generated when your rules, scheduled rules, or policies detect suspicious behavior. When an alert is triggered, it is routed to the appropriate Alert Destination(s) using the Alert routing scenarios.
Panther can generate three types of alerts:
  • Alerts: This classification includes rule matches, policy matches, and scheduled rule matches from enabled detections.
  • Detection errors: These are generated due to incorrect code or permissions issues. When this occurs, a rule returns an error and the rule does not complete its run successfully. This includes rule errors and scheduled rule errors.
  • System errors: Panther's System Errors alert users when a part of the Panther platform is not functioning correctly. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures.

Customizing alerts

You can customize the content of the alerts you receive for detection matches by using the alert functions in Python detections or alert keys in YAML detections.
These functions allow you to, for example, include the matching event (using alert_context() or AlertContext) or add event values to the alert title (using title() or AlertTitle).

Working with alerts

Receiving an alert

To receive alerts outside of the Panther Console, set up an alert destination and ensure it's configured to receive alerts based on the Alert routing scenarios.
When deciding how to receive an alert, consider the following options:
  • Natively supported destinations: Panther supports a number of alert destinations natively, like Slack, Jira, and Amazon SNS. See the Alert Destinations documentation for a complete list of supported destinations.
  • Custom Webhook: If you'd like to route alerts to a destination that is not natively supported but that has an API, you can use the Custom Webhook option to send alert notifications—see the Custom Webhook documentation for configuration instructions.
  • Panther's API: If you'd like to receive Panther alerts at a destination that is not natively supported and that does not have an API, you can receive alerts by polling Panther's API for alerts on a schedule. See the available API operations for fetching and manipulating alerts on Alerts & Errors.

Investigating an alert

When you receive an alert to your configured destination, it’s time to investigate. Common investigation workflows include:
See the Investigations & Search documentation for more information on Panther’s data analysis tools.

Triaging and managing alerts

For more information on triaging, assigning, and managing alerts, see the following documentation pages:

Viewing alerts

Viewing the alerts list in the Panther Console

  1. 1.
    Log in to your Panther Console.
    • The landing page is the overview dashboard, where you can view alert metrics and a list of the alerts assigned to you. Continue on to the next steps to view a list of all alerts.
  2. 2.
    Click Alerts in the left sidebar.
    • By default, this page lists alerts from most recent to oldest and displays only Open and Triaged alerts.
  3. 3.
    Filter the list as needed to narrow your results.
  4. 4.
    Click the tabs at the top of the list to filter by the alert type: Alerts, Detection Errors, or System Errors.

Viewing alert details in the Panther Console

While viewing the list of alerts as described above, click an alert title to view the alert details page:
An alert tile on the alerts list page is shown, with a title reading "AWS login detected without MFA for x in x account x". This title is circled. Below and next to the title are fields like Severity, Assignee and Alert Status.
The alert details page includes:
  • Basic information.
    • This includes the detection that triggered the alert, the associated log types, the assignee, the alert status, the MITRE tactic, and the alert runbook.
  • A list of event matches.
    • For each event, you can view event time, event source, the associated p_log_type and p_source_label, and IP information.
  • External conversations.
    • If there is additional context in a Slack Boomerang, Jira ticket, or Asana task where an alert was delivered, you can click the links in this section to view that information.
    • You can also add comments to an alert in this section.
  • Alert history.
    • This includes a history of all status changes and comments.
    • If the alert failed to deliver to one of the configured alert destinations, you will see an "Alert delivery failed" error above the history.
The Summary tab on the alert details page is described in Assigning and Managing Alerts.

Reference

Alert timestamps

Each generated alert in Panther is enriched with the following timestamps:
p_alert_creation_time
The first time an event matched this rule
p_event_time
The time the event reported itself as happening
p_parse_time
The time the event was processed by Panther
p_alert_update_time
The last time an event matched this rule (in the case of deduplication)