Knowledge BaseCommunityRelease NotesTry Panther
Search
⌃K
Links

Assigning and Managing Alerts

Manage Alerts in the Panther Console

Overview

Panther's Alert Management feature allows you to assign alerts to Panther users, view an activity history of alert updates, add comments with rich text support, and quickly tune detections—all from the Panther Console.

Triaging alerts

You can apply the following statuses to alerts while triaging them in Panther:
  • Open: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
  • Invalid: Use this to triage noisy alerts that might have been generated in error.
  • Resolved: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
  • Triaged: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
    The "Alert Status" dropdown includes options for Open, Invalid, Resolved, and Triaged.
By default, the list of alerts on the Alerts page displays only Open and Triaged alerts.
Changing the status of an alert does not reset the deduplication period of the associated rule or scheduled rule. This means, for example, if an alert is marked Resolved before the deduplication period is complete, and events triggering the alert continue to stream in, they will be associated with the same Resolved alert, not a new one.

Bulk triaging alerts in Panther

If performing bulk triaging on groups of alerts, you can use the bulk select option (pictured below).
The Alerts page is displayed, and alerts are listed at the bottom. The box next to "Select all Alerts" is checked, and the alerts in the list are selected.
By default, the bulk selector will select everything on the current page.
If you'd like to select everything within the filtered results (beyond the first page), click Select all Alerts that match this search. This will select everything within the filtered results. Once a mass action is performed using this option, there may be a slight delay in the mass action being completed if you are triaging a large quantity of alerts. Make sure to refresh the page to see the final results of the mass action.

View and triage alerts in Slack

If a Slack Bot Alert Destination is configured, alerts can be viewed and managed directly from Slack:
For more information, see Managing Alerts in Slack.

How to use Alert Summaries

An Alert Summary showcases the most common values that were found in the alert's events based on the summary attributes you select. The alert summary will help you quickly understand the answers to the Who , What, Where questions you have when triaging matching events in a rule match.
This feature is especially useful when a rule has generated large numbers of matching events, making understanding the nature of the threat difficult. The Alert Summaries provide an overview of all of the matching events to avoid having to manually review each event.
For an example use case, see the Examples section at the bottom of this page.

Adding summary attributes to detections

You can define Summary Attributes when creating a rule or scheduled rule:
The Rule Settings creation form has a "Summary Attributes" field in the lower right corner.
When defining the Summary Attributes for a rule, you should pick attributes that will help you understand the nature of an alert at a glance.

Viewing an alert summary

  1. 1.
    In the left sidebar of the Panther Console, click Alerts.
  2. 2.
    Click an alert's title to view its details page.
  3. 3.
    Click the Summary tab.
    While viewing a rule, the Summary tab is selected
The Summary tab displays the top five attributes for each declared Summary Attribute.
While viewing the Alert Summary, hover over the alert. A "Copy" icon will appear on the right side. Click the icon to copy the attribute value to use in Data Explorer.
For fields that start with p_, you will also see a "Search" icon appear on the right side. Click the "Search" icon to open Indicator Search and view all hits for that attribute in your data lake.
On the right side of an alert summary, there are clickable icons for "Copy" and "Indicator Search."

How to assign and unassign alerts

A user with the View Alerts permission can assign alerts to Panther users. When an alert is assigned, the user receives an email notification indicating the assignment. The email includes a link to open the alert in the Panther Console.

Assigning alerts

  1. 1.
    Log in to the Panther Console.
  2. 2.
    Click Alerts in the left sidebar.
    • A list of alerts will be displayed.
  3. 3.
    On the right side of an alert in the list, click the Assignee dropdown menu. Select the user you want to assign the alert to.
The Assignee dropdown menu is on the right side of an alert in the Alerts list
You can also assign an alert from the Alert Details page in the Panther Console. While viewing the page, the Assignee dropdown menu is located in the upper right side of the page.
The assignee menu appears in the upper right side of the alert details page

Unassigning alerts

  1. 1.
    Log in to the Panther Console.
  2. 2.
    Click Alerts in the left sidebar.
    • A list of alerts will be displayed.
  3. 3.
    On the right side of an alert in the list, click the Assignee dropdown menu. Select Unassigned from the dropdown.
The Assignee dropdown menu is expanded and there is an option labeled "Unassigned."

Assign multiple alerts at once

  1. 1.
    In the Panther Console, click Alerts in the left sidebar.
  2. 2.
    Check the box next to alerts, or check the box in the upper left corner of the Alerts list to select all alerts.
  3. 3.
    In the upper right corner of the Alerts list, click the Assignee dropdown menu. Select the person who you want to assign the alerts to.
A maximum of one page of alerts can be assigned at once.
Bulk assignment in the Alerts list

Managing alerts externally

Slack

Panther's Slack Bot Alert Destination enables you to view and manage alerts directly from Slack, including the use of Slack Bot Boomerang and Threat Intel features. See Managing Alerts in Slack for more information.

Asana

Panther's Asana Alert Destination includes the ability to sync alert statuses to update the status of any corresponding Asana Tasks.

Jira

Panther's Jira Alert Destination includes the ability to sync alert statuses to update the status of any corresponding Jira issues.

Viewing alert activity history

  1. 1.
    In the Panther Console, click Alerts in the left sidebar.
  2. 2.
    Click into an alert to view its Alerts Details page.
  3. 3.
    Scroll down to Alert History to view a history of all status changes and comments. The activity is sorted in reverse chronological order, so that the most recent change appears on top.
An alert's Alert History. The example history shows an event that says "A Panther user updated the status to open."
If the status of an assigned alert is changed, the assignee will receive an email notification with details of the change, with a link to open the alert in the Panther Console.

Adding comments to alerts

Users with the Manage Alerts permission can add rich text comments to alerts from the Alerts Details page. Text formatting is supported for bold, italics, lists, code blocks, quote blocks, and hyperlinks. User mentions and modifying or deleting comments are currently unsupported.
The syntax and formatting output is detailed below.
Syntax:
**Bold** (alternatively: __bold__ OR highlight text + CMD/CTRL+B)
*Italics* (alternatively: _italics_ OR highlight text + CMD/CTRL+I)
- Unordered list
1. Ordered list
```
Code block
```
`Single line code block`
> Quote block
https://panther.com/URL
Formatting result from the syntax above:
Rich text formatting in comments

Quick rule tuning from alerts (beta)

You can quickly tune the rule that triggered an alert directly from the alert itself, by adding Rule Filters. This is particularly helpful if the alert is a false positive, and you'd like to tune the triggered detection so it won't match on similar events in the future. See Add filters from an alert event for instructions.
Note that quick detection tuning from alerts is available only within alerts triggered by rules, not policies nor scheduled rules.

Examples

Alert summary use case example

For example, say we have written a rule to find "Sneaky" traffic hitting our load balancer. This rule runs against theAWS.ALB logs. If we pick the Panther standard field p_any_ip_addresses and userAgent, then when we view an alert we can quickly see the top five values in the matching events. This can significantly speed up alert triage.
The Panther Console's "Rule Settings" page for a rule is displayed. The ID field contains the text "Sketchy ALB Traffic." The Summary Attributes field contains "p_any_ip_addresses" and "userAgent".
In this example, the first summary is p_any_ip_addreses. Notice that when you hover over a bar in the summary, a "Copy" icon and a "Search" icon appear. You can copy the attribute value to use in a SQL search or you can quickly pivot to an Indicator Search.
The alert summary for p_any_ip_addresses is displayed. There is a "Copy" button next to the attribute so you can easily paste it into Indicator Search.
Click the arrow above the chart to navigate to the next summary, and use the "Attribute" dropdown menu in the upper right to select a different attribute.
If a rule does not have any Summary Attributes defined, then summaries will be computed for all the Panther standard p_any fields associated with the target log types.
Previous
Tines Destination
Next
Managing Alerts in Slack
Last modified 1mo ago