Alerts & Destinations

Panther detections trigger alerts on suspicious behavior

Overview
Alerts are generated when your rules, scheduled rules, or policies detect suspicious behavior. When an alert is triggered, it is routed to the appropriate Alert Destination(s) using the Alert routing scenarios.
Panther can generate three types of alerts:
Alerts: This classification includes rule matches, policy matches, and scheduled rule matches from enabled detections. 
Detection errors: These are generated due to incorrect code or permissions issues. When this occurs, a rule returns an error and the rule does not complete its run successfully. This includes rule errors and scheduled rule errors.
System errors:  Panther's System Health notifications alert users when a part of the Panther platform is not functioning correctly. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures. 
To learn more about these errors, see the System Health Notification documentation.
Working with alerts
Receiving an alert
To receive alerts outside of the Panther Console, set up an alert destination and ensure it's configured to receive alerts based on the Alert routing scenarios. 
When deciding how to receive an alert, consider the following options:
Natively supported destinations: Panther supports a number of alert destinations natively, like Slack, Jira, and Amazon SNS. See the Alert Destinations documentation for a complete list of supported destinations. 
Custom Webhook: If you'd like to route alerts to a destination that is not natively supported but that has an API, you can use the Custom Webhook option to send alert notifications—see the Custom Webhook documentation for configuration instructions.
Panther's API: If you'd like to receive Panther alerts at a destination that is not natively supported and that does not have an API, you can receive alerts by polling Panther's API for alerts on a schedule. See the available API operations for fetching and manipulating alerts on Alerts & Errors. 
Investigating an alert
When you receive an alert to your configured destination, it’s time to investigate. Common investigation workflows include:
Reviewing data from the Panther Console overview dashboard.
Using Indicator Search to investigate Indicators of Compromise (IOCs).
Using Data Explorer to search robustly using SQL.
Using Query Builder to conduct a search without extensive SQL knowledge.
See the Investigations & Search documentation for more information on Panther’s data analysis tools.
Triaging and managing alerts
For more information on triaging, assigning, and managing alerts, see the following documentation pages:
​Assigning and Managing Alerts​
Triage, use alert summaries, assign, un-assign, view alert history, and add comments to alerts.
​Quickly tune detections directly from alerts.
You can also manage alerts in Slack when using the Slack Bot alert destination.
​Alert Runbooks​
For many Panther-managed detections, find recommended steps to remediate the issue that triggered the alert.
Viewing alerts
Viewing the alerts list in the Panther Console
1.Log in to your Panther Console.
The landing page is the overview dashboard, where you can view alert metrics and a list of the alerts assigned to you. Continue on to the next steps to view a list of all alerts.
2.Click Alerts in the left sidebar.
By default, this page lists alerts from most recent to oldest and displays only Open and Triaged alerts.
3.Filter the list as needed to narrow your results.
​
4.Click the tabs at the top of the list to filter by the alert type: Alerts, Detection Errors, or System Errors.
​
Viewing alert details in the Panther Console
While viewing the list of alerts as described above, click an alert title to view the alert details page:
The alert details page includes:
Basic information.
This includes the detection that triggered the alert, the associated log types, the MITRE tactic, and the alert runbook.
A list of event matches. 
For each event, you can view event time, event source, the associated p_log_type and p_source_label, and IP information. 
External conversations.
If there is additional context in a Slack Boomerang, Jira ticket, or Asana task where an alert was delivered, you can click the links in this section to view that information.
You can also add comments to an alert in this section.
Alert history.
This includes a history of all status changes and comments.
If the alert failed to deliver to one of the configured alert destinations, you will see an "Alert delivery failed" error above the history.
The Summary tab on the alert details page is described in Assigning and Managing Alerts.
Reference
Alert timestamps
Each generated alert in Panther is enriched with the following timestamps:
p_alert_creation_time
The first time an event matched this rule
p_event_time
The time the event reported itself as happening
p_parse_time
The time the event was processed by Panther
p_alert_update_time
The last time an event matched this rule (in the case of deduplication)

WAF Web ACL

Alert Destinations

Last modified 2mo ago

`p_alert_creation_time`	The first time an event matched this rule
`p_event_time`	The time the event reported itself as happening
`p_parse_time`	The time the event was processed by Panther
`p_alert_update_time`	The last time an event matched this rule (in the case of deduplication)