Knowledge BaseCommunityRelease NotesTraining VideosRequest Demo
Search
K
Links

Assigning and Managing Alerts

Manage Alerts in the Panther Console

Overview

Panther's Alert Management feature allows you to assign alerts to Panther users, view an activity history of alert updates, add comments with rich text support, and quickly tune detections—all from the Panther Console.

Triaging alerts

You can apply the following statuses to alerts while triaging them in Panther:
  • Open: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
  • Invalid: Use this to triage noisy alerts that might have been generated in error.
  • Resolved: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
  • Triaged: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
By default, the list of alerts on the Alerts page displays only Open and Triaged alerts.
Changing the status of an alert does not reset the deduplication period of the associated rule or scheduled rule. This means, for example, if an alert is marked Resolved before the deduplication period is complete, and events triggering the alert continue to stream in, they will be associated with the same Resolved alert, not a new one.

Bulk triaging alerts in Panther

If performing bulk triaging on groups of alerts, you can check Select All:
The Alerts page is displayed, and alerts are listed at the bottom. The "Select All" checkbox near the top of the page is circled.
By default, the bulk selector will select everything currently loaded on the page.
If you'd like to select all filtered results (beyond what is currently loaded on the page), click Select all Alerts that match this search. This will select everything within the filtered results. Once a mass action is performed using this option, there may be a slight delay in the mass action being completed if you are triaging a large quantity of alerts. Make sure to refresh the page to see the final results of the mass action.
On the Alerts list page, there is a note reading, "Showing results between 2023-02-01 10:00 GMT-5 - 2023-06-26 10:46 GMT-4" then "75 items on this page are selected. Select all that match this search."

View and triage alerts in Slack

If a Slack Bot Alert Destination is configured, alerts can be viewed and managed directly from Slack:
A Slack Bot alert is shown, with an Alert Summary, Runbook, Severity, Status, and buttons to "View in Panther," "Set Assignee" and "Update Status"
For more information, see Managing Alerts in Slack.

How to use Alert Summaries

An Alert Summary showcases the most common values that were found in the alert's events based on the summary attributes you select. The alert summary will help you quickly understand the answers to the Who , What, Where questions you have when triaging matching events in a rule match.
This feature is especially useful when a rule has generated large numbers of matching events, making understanding the nature of the threat difficult. The Alert Summaries provide an overview of all of the matching events to avoid having to manually review each event.
For an example use case, see the Examples section at the bottom of this page.

Adding summary attributes to detections

You can define Summary Attributes when creating a rule or scheduled rule:
The Rule Settings creation form has a "Summary Attributes" field in the lower right corner.
When defining the Summary Attributes for a rule, you should pick attributes that will help you understand the nature of an alert at a glance.

Viewing an alert summary

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Alerts.
  2. 2.
    Click an alert's title to view its details page.
  3. 3.
    Click the Summary tab.
    While viewing a rule, the Summary tab is selected
The Summary tab displays the top five attributes for each declared Summary Attribute.
While viewing the Alert Summary, hover over the alert. A "Copy" icon will appear on the right side. Click the icon to copy the attribute value to use in Data Explorer.
For fields that start with p_, you will also see a "Search" icon appear on the right side. Click the "Search" icon to open Indicator Search and view all hits for that attribute in your data lake.
On the right side of an alert summary, there are clickable icons for "Copy" and "Indicator Search."

How to assign and unassign alerts

A user with the View Alerts permission can assign alerts to Panther users. When an alert is assigned, the user receives an email notification indicating the assignment. The email includes a link to open the alert in the Panther Console.

Assigning alerts

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Alerts.
    • A list of alerts will be displayed.
  2. 2.
    On the right side of an alert in the list, click the Assignee dropdown menu.
    • Select the user you want to assign the alert to.
The Assignee dropdown menu is on the right side of an alert in the Alerts list. It is circled.
You can also assign an alert from the Alert Details page in the Panther Console. The Assignee dropdown menu is located at the top of the page.
The assignee menu appears at the top of the alert details page. It is circled.

Unassigning alerts

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Alerts.
    • A list of alerts will be displayed.
  2. 2.
    On the right side of an alert in the list, click the Assignee dropdown menu. Select Unassigned from the dropdown.
The Assignee dropdown menu is expanded and there is an option labeled "Unassigned."

Assign multiple alerts at once

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Alerts.
  2. 2.
    Select the checkbox next to multiple individual alerts, or select the checkbox next to Select All in the upper left corner to select all alerts loaded on the current page.
    • Only the alerts currently loaded on the page may be assigned at once. If additional alerts match the filter criteria, and a user selects Select all that match this search, the Assignee dropdown will disappear.
  3. 3.
    At the top of the Alerts list, click the Assignee dropdown menu. Select the person who you want to assign the alerts to.
In the alerts list, all alerts have been selected. The assignee dropdown menu is open, and it is circled.

Managing alerts externally

Slack

Panther's Slack Bot Alert Destination enables you to view and manage alerts directly from Slack, including the use of Slack Bot Boomerang and Threat Intel features. See Managing Alerts in Slack for more information.

Asana

Panther's Asana Alert Destination includes the ability to sync alert statuses to update the status of any corresponding Asana Tasks.

Jira

Panther's Jira Alert Destination includes the ability to sync alert statuses to update the status of any corresponding Jira issues.

Viewing alert activity history

  1. 1.
    In the Panther Console, click Alerts in the left sidebar.
  2. 2.
    Click into an alert to view its Alerts Details page.
  3. 3.
    Scroll down to Alert History to view a history of all status changes and comments. The activity is sorted in reverse chronological order, so that the most recent change appears on top.
An alert's Alert History. The example history shows an event that says "A Panther user updated the status to open."
If the status of an assigned alert is changed, the assignee will receive an email notification with details of the change, with a link to open the alert in the Panther Console.

Adding comments to alerts

Users with the Manage Alerts permission can add rich text comments to alerts from the Alerts Details page. Text formatting is supported for bold, italics, lists, code blocks, quote blocks, and hyperlinks. User mentions and modifying or deleting comments are currently unsupported.
The syntax and formatting output is detailed below.
Syntax:
**Bold** (alternatively: __bold__ OR highlight text + CMD/CTRL+B)
*Italics* (alternatively: _italics_ OR highlight text + CMD/CTRL+I)
- Unordered list
1. Ordered list
```
Code block
```
`Single line code block`
> Quote block
https://panther.com/URL
Formatting result from the syntax above:
Rich text formatting in comments

Quick rule tuning from alerts (beta)

You can quickly tune the rule that triggered an alert directly from the alert itself, by adding Rule Filters. This is particularly helpful if the alert is a false positive, and you'd like to tune the triggered detection so it won't match on similar events in the future. See Add filters from an alert event for instructions.
Note that quick detection tuning from alerts is available only within alerts triggered by rules, not policies nor scheduled rules.

Examples

Alert summary use case example

For example, say we have written a rule to find "Sneaky" traffic hitting our load balancer. This rule runs against theAWS.ALB logs. If we pick the Panther standard field p_any_ip_addresses and userAgent, then when we view an alert we can quickly see the top five values in the matching events. This can significantly speed up alert triage.
The Panther Console's "Rule Settings" page for a rule is displayed. The ID field contains the text "Sketchy ALB Traffic." The Summary Attributes field contains "p_any_ip_addresses" and "userAgent".
In this example, the first summary is p_any_ip_addreses. Notice that when you hover over a bar in the summary, a "Copy" icon and a "Search" icon appear. You can copy the attribute value to use in a SQL search or you can quickly pivot to an Indicator Search.
The alert summary for p_any_ip_addresses is displayed. There is a "Copy" button next to the attribute so you can easily paste it into Indicator Search.
Click the arrow above the chart to navigate to the next summary, and use the "Attribute" dropdown menu in the upper right to select a different attribute.
If a rule does not have any Summary Attributes defined, then summaries will be computed for all the Panther standard p_any fields associated with the target log types.
Previous
Tines Destination
Next
Managing Alerts in Slack
Last modified 22d ago