# Assigning and Managing Alerts
## Overview
Panther's Alert Management feature allows you to assign alerts to Panther users, view an activity history of alert updates, add comments with rich text support, and [quickly tune detections](#quick-rule-tuning-from-alerts)—all from the Panther Console.
## Triaging alerts
### Alert status
{% hint style="warning" %}
In a future Panther release, the `Invalid` alert status will be deprecated.
Instead of marking alerts as `Invalid`, it's recommended to set [alert quality](#alert-quality) to `Noise` and add appropriate [context tags](#context-tags). This provides more granular information and better supports alert analysis.
{% endhint %}
You can apply the following statuses to alerts while triaging them in Panther:
* **Open**: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
* **Invalid**: Use this to triage noisy alerts that might have been generated in error.
* **Resolved**: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
* **Triaged**: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
By default, the list of alerts on the **Alerts** page displays only Open and Triaged alerts.
Changing the status of an alert does not reset the [deduplication period](https://docs.panther.com/detections/rules#deduplication) of the associated rule or scheduled rule. This means, for example, if an alert is marked `Resolved` before the deduplication period is complete, and events triggering the alert continue to stream in, they will be associated with the same `Resolved` alert, not a new one.
### Alert quality
{% hint style="info" %}
Alert quality is in open beta starting with Panther version 1.118. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}
You can use alert quality to distinguish between alerts that are working as intended and those that need tuning:
* **Useful**: The detection worked as intended and you want to receive this alert again. Use for valid security findings.
* **Noise**: The alert fired incorrectly and needs tuning. Use for false positives or alerts that don't provide value.
Alert quality is separate from the [alert status](#alert-status). An alert can be marked as Noise but still have a status of Open or Triaged.
When you modify an alert's quality, it is recorded in the alert's **Activity** log:
#### Querying alerts with a certain quality value in Search
To [query your alerts in Search](https://docs.panther.com/alerts/..#viewing-alerts-in-search) that have a specific quality value:
1. In the [database filter](https://docs.panther.com/search/search-tool#using-database-table-and-date-range-filters), select **Signals**.
2. In the [table filter](https://docs.panther.com/search/search-tool#using-database-table-and-date-range-filters), select **Alerts.**
3. [Create a key/value filter expression](https://docs.panther.com/search/search-tool#key-value-filter-expression) with the **Quality** field and a value of **USEFUL** or **NOISE**.
{% hint style="warning" %}
Note that values for the `quality` field in Search are case-sensitive.
{% endhint %}
### Context tags
{% hint style="info" %}
Context tags are in open beta starting with Panther version 1.118. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}
Context tags provide additional information about why an alert occurred. You can use the [built-in tags](#built-in-alert-context-tags) Panther provides and/or [create your own custom tags](#custom-alert-context-tags).
You can add up to 10 context tags per alert.
When you modify an alert's context tags, it is recorded in the alert's **Activity** log:
#### Built-in alert context tags
The following tags are built-in:
Operational issues
* alert-delivery-failure
* classification-error
* configuration-error
* rule-error
* source-no-data
Investigation outcomes
* benign
* duplicate
* inconclusive
* insufficient-data
* resolved-with-ai
Detection issues
* enrichment-needed
* false-positive
* threshold-too-sensitive
* tuning-needed
Legitimate activity
* admin-activity
* approved-change
* automated-process
* service-account
* testing-activity
Detected threats
* account-takeover
* credential-compromise
* data-exfiltration
* lateral-movement
* malicious-binary
* persistence-mechanism
* privilege-escalation
#### Custom alert context tags
You can create custom alert context tags when the [built-in tags](#built-in-alert-context-tags) aren't sufficient. Custom tags:
* Are shared across your organization
* Must be unique (case-insensitive matching)
* Tags are automatically normalized to lowercase with underscores (e.g., "My Custom Tag" becomes "my\_custom\_tag")
* Must be 3-30 characters long, and can contain letters, numbers, spaces, dashes, and underscores
You can create custom tags in two ways:
{% tabs %}
{% tab title="Alert details page" %}
#### Creating a custom alert context tag from an alert details page
1. On an alert details page, click **+**.
2. Enter the name of the tag you'd like to create.
3. Click the resulting option, or press `Enter`.
{% endtab %}
{% tab title="Settings page" %}
#### Creating a custom alert context tag from the settings page
1. Click the gear icon (Settings) > **Alert Context Tags**.
* On the **Alert Context Tags** page, you can view your built-in and custom tags, as well as delete or edit a custom tag.
2. Click **New Tag**.
3. Enter a **Tag Name**.
4. Click **Create Tag**.
{% endtab %}
{% endtabs %}
#### Querying alerts with a certain tag in Search
To [query your alerts in Search](https://docs.panther.com/alerts/..#viewing-alerts-in-search) that have a certain tag:
1. In the [database filter](https://docs.panther.com/search/search-tool#using-database-table-and-date-range-filters), select **Signals**.
2. In the [table filter](https://docs.panther.com/search/search-tool#using-database-table-and-date-range-filters), select **Alerts**.
3. [Create a key/value filter expression](https://docs.panther.com/search/search-tool#key-value-filter-expression) with the **contextTags** field and one or more of the context tags listed above.
{% hint style="warning" %}
Note that values for the `contextTag` field are case sensitive.
Panther stores context tags as lowercase values with dashes instead of spaces.
{% endhint %}
### Bulk updating alerts in Panther
It is possible to update the status or assignee for a group of alerts in bulk.
You can do this via [script or API](https://help.panther.com/articles/5705324653-how-do-i-update-my-panther-alert-statuses-or-assignees-in-bulk), or in the Panther Console:
* To select only the alerts on the current page, check **Select All**:
* By default, the bulk selector will select everything currently loaded on the page.
* To select all filtered results (beyond what is currently loaded on the page), click **Select all Alerts that match this search.**
* This will select everything within the filtered results.
Once a mass action is performed using this option, there may be a slight delay in the mass action being completed if you are triaging a large quantity of alerts. Make sure to refresh the page to see the final results of the mass action.
### View and triage alerts in Slack
If a [Slack Bot Alert Destination](https://docs.panther.com/alerts/destinations/slack-bot) is configured, alerts can be viewed and managed directly from Slack:
For more information, see [Managing Alerts in Slack](https://docs.panther.com/alerts/alert-management/slack).
## How to use Alert Summaries
An Alert Summary showcases the most common values that were found in the alert's events based on the summary attributes you select. The alert summary will help you quickly understand the answers to the `Who` , `What`, `Where` questions you have when triaging matching events in a rule match.
This feature is especially useful when a rule has generated large numbers of matching events, making understanding the nature of the threat difficult. The Alert Summaries provide an overview of all of the matching events to avoid having to manually review each event.
For an example use case, see the [Examples](#examples) section at the bottom of this page.
{% hint style="info" %}
Note that this feature is different from the [AI-generated summary of alerts](https://docs.panther.com/alerts/..#alert-list-ai-summary) in the Panther Console.
{% endhint %}
### Adding summary attributes to detections
You can define Summary Attributes when [creating a rule or scheduled rule](https://docs.panther.com/detections/rules#how-to-write-rules):
When defining the Summary Attributes for a rule, you should pick attributes that will help you understand the nature of an alert at a glance.
### Viewing an alert summary
1. In the left-hand navigation bar of your Panther Console, click **Alerts**.
2. Click an alert's title to view its details page.
3. Click the **Summary** tab.\
The **Summary** tab displays the top five attributes for each declared Summary Attribute.
### Pivoting to Search
While viewing the Alert Summary, hover over the alert. A "Copy" icon will appear on the right side. Click the icon to copy the attribute value to use in Data Explorer.
For fields that start with `p_`, you will also see a "Search" icon appear on the right side. Click the "Search" icon to open [Search](https://docs.panther.com/search/search-tool) and view all hits for that attribute in your data lake.
## How to assign and unassign alerts
A user with the `View Alerts` permission can assign alerts to Panther users. When an alert is assigned, the user receives an email notification indicating the assignment. The email includes a link to open the alert in the Panther Console.
### Assigning alerts
1. In the left-hand navigation bar of your Panther Console, click **Alerts**.
* A list of alerts will be displayed.
2. On the right side of an alert in the list, click the **Assignee** dropdown menu.
* Select the user you want to assign the alert to.
You can also assign an alert from the Alert Details page in the Panther Console. The **Assignee** dropdown menu is located at the top of the page.
### Unassigning alerts
1. In the left-hand navigation bar of your Panther Console, click **Alerts**.
* A list of alerts will be displayed.
2. On the right side of an alert in the list, click the Assignee dropdown menu. Select `Unassigned` from the dropdown.
### Assign multiple alerts at once
1. In the left-hand navigation bar of your Panther Console, click **Alerts**.
2. Select the checkbox next to multiple individual alerts, or select the checkbox next to **Select All** in the upper left corner to select all alerts loaded on the current page.
* Only the alerts currently loaded on the page may be assigned at once. If additional alerts match the filter criteria, and a user selects **Select all that match this search**, the Assignee dropdown will disappear.
3. At the top of the Alerts list, click the **Assignee** dropdown menu. Select the person who you want to assign the alerts to.
## Managing alerts externally
#### Slack
Panther's [Slack Bot Alert Destination](https://docs.panther.com/alerts/destinations/slack-bot) enables you to view and manage alerts directly from Slack, including the use of Slack Bot Boomerang and Threat Intel features. See [Managing Alerts in Slack](https://docs.panther.com/alerts/alert-management/slack) for more information.
#### Asana
Panther's [Asana Alert Destination](https://docs.panther.com/alerts/destinations/asana) includes the ability to sync alert statuses to update the status of any corresponding Asana Tasks.
#### Jira
Panther's [Jira Alert Destination](https://docs.panther.com/alerts/destinations/jira) includes the ability to sync alert statuses to update the status of any corresponding Jira issues.
## Viewing alert activity history
1. In the Panther Console, click **Alerts** in the left sidebar.
2. Click into an alert to view its Alerts Details page.
3. Scroll down to **Alert History** to view a history of all status changes and comments. The activity is sorted in reverse chronological order, so that the most recent change appears on top.
If the status of an assigned alert is changed, the assignee will receive an email notification with details of the change, with a link to open the alert in the Panther Console.
## Adding comments to alerts
Users with the `Manage Alerts` permission can add rich text comments to alerts from the **Alerts Details** page. You can also interact with alert comments [using the REST API](https://docs.panther.com/panther-developer-workflows/api/rest/alert-comments).
Updating comments is only possible [using the REST API](https://docs.panther.com/panther-developer-workflows/api/rest/alert-comments#alert-comments-id-1). Deleting comments and mentioning users is not supported.
Text formatting is supported for bold, italics, lists, code blocks, quote blocks, and hyperlinks. The syntax and formatting output is detailed below.
Syntax:
````
**Bold** (alternatively: __bold__ OR highlight text + CMD/CTRL+B)
*Italics* (alternatively: _italics_ OR highlight text + CMD/CTRL+I)
- Unordered list
1. Ordered list
```
Code block
```
`Single line code block`
> Quote block
https://panther.com/URL
````
Formatting result from the syntax above:
## Quick rule tuning from alerts
You can quickly tune the rule that triggered an alert directly from the alert itself, by adding [Rule Filters](https://docs.panther.com/detections/rules/inline-filters). This is particularly helpful if the alert is a false positive, and you'd like to tune the triggered detection so it won't match on similar events in the future. See [Add filters from an alert event](https://docs.panther.com/detections/rules/inline-filters#add-filters-from-an-alert-event) for instructions.
Note that quick detection tuning from alerts is available only within alerts triggered by rules, not policies nor scheduled rules.
## Examples
### Alert summary use case example
For example, say we have written a rule to find suspicious traffic hitting our load balancer. This rule runs against the`AWS.ALB` logs. If we pick the Panther standard field `p_any_ip_addresses` and `userAgent`, then when we view an alert we can quickly see the top five values in the matching events. This can significantly speed up alert triage.
In this example, the first summary is `p_any_ip_addreses`. When you hover over a bar in the summary, "copy" and "search" icons appear—you can copy the attribute value to use in a SQL search or quickly pivot to [Search](https://docs.panther.com/search/search-tool).
Click the arrow above the chart to navigate to the next summary, and use the "Attribute" dropdown menu in the upper right to select a different attribute.
If a rule does not have any Summary Attributes defined, then summaries will be computed for all the Panther standard `p_any` fields associated with the target log types.
