Links

Managing Alerts in Slack

View and manage alerts from Slack

Overview

Panther's Slack Bot Alert Destination enables you to view and manage alerts directly from Slack. This includes using the Slack Bot Boomerang to discuss alerts with other Slack users and using Threat Intel to analyze an IP address for threat intelligence.

Managing alerts in Slack

​
​
An alert in Slack contains an Alert Summary, Runbook, and Severity, as well as the following options:
  • View in Panther: Open a direct link to the alert in the Panther Console.
  • Set Assignee: Change the assignee of the alert.
  • Update Status: Change the status of the alert to Open, Triaged, Resolved, or Invalid.
  • Show Alert Details: Retrieve detailed information about the alert.
  • See Threat Intel: View threat intelligence for specific attributes on an alert.
  • Boomerang (🪃): Prompt a designated person to provide more information about an alert.
When you set an assignee or update the status, the Slack thread will update with a new reply indicating the change.
​
​
​

Send Boomerang (🪃)

Use the Boomerang feature within a Panther Slack Bot alert to prompt another Slack user for information about the alert, such as justification for activity involving their account.
All Boomerang communications, including questions and responses, will be recorded in a thread on the original alert message in Slack, as well as in the Alert History feed on the alert's Details page in the Panther Console.

How to use Slack Bot Boomerang

  1. 1.
    Within a Panther Slack Bot alert, click 🪃 .
    A Panther Slack Bot Alert contains an alert summary (Policy Failure: AWS Root Account Hardware MFA), runbook, severity, and status. There is a button to view the alert in Panther, set an assignee, update the status, and send a boomerang message.
    ​
  2. 2.
    In the Boomerang modal, select a recipient and write a message.
    The boomerang modal contains a dropdown field for the recipient, and a text field for the message. There are cancel and send buttons.
    ​
    • For certain alert types, it's possible to include the JSON of the first event that triggered the alert by selecting Share Event Details with Recipient.
      There is a checkbox for Share Event Details with Recipient. The beginning of an event's JSON, including an additionalFields key, is shown.
      ​
  3. 3.
    Click 🪃 Send.
    • The recipient will receive your message from the Panther Slack Bot.
      A Panther Slack Bot message says "Your help has been requested!" The requestor's Slack handle is provided, along with the message or question they sent. There is a textfield for the recipient to write a response. There are two buttons: "Confirm" and "Report Suspicious Activity"
      ​

Show Alert Details

Geolocation information (e.g. 🇺🇸 California, USA) for IP Addresses requires the IPInfo Location enrichment provider to be enabled.
  • Click Show Alert Details to view additional details about the alert, including Summary Fields, Event Details, and First Event.
​
​
After the information is retrieved, the associated Slack thread is updated:
​
​
​

Slack Bot Threat Intel

The option to See Threat Intel is shown on an alert in Slack if one or more Summary Attribute associated with the alert can be analyzed for threat intelligence (e.g. geographic location, ASN, etc.)
The threat intelligence options shown are dependent on which Enrichment datasets are enabled in your Panther deployment.

How to use Threat Intel

  1. 1.
    In a Slack alert, click See Threat Intel.
    ​
  2. 2.
    In the prompt that appears, select a value to analyze.
    ​
    • After you select a value, the value is automatically analyzed and the available threat intelligence is returned:
      ​

Slack Bot Threat Intelligence supported datasets

Slack Bot Threat Intelligence supports utilizing the following datasets:

Threat Intel Examples

IPInfo and GreyNoise Advanced datasets identifying the GoogleBot

​
IPinfo provided IP and ASN information, and GreyNoise reported the IP as being benign.
​
In this example, IPinfo provided IP and ASN information, and GreyNoise reported the IP as being benign.
​

IPinfo and Greynoise Advanced datasets identifying a malicious IP address

​
IPinfo provided IP and ASN information, and GreyNoise reported the IP address as malicious.
​
In this example, IPinfo provided IP and ASN information, and GreyNoise reported the IP address as malicious.

Using multiple Slack Bot alert destinations

When you interact with a Slack Bot alert (e.g., set an assignee or send a Boomerang message), changes are reflected in the Panther Console, as well as in a thread on the alert message itself. However, if multiple channels have been configured as Slack Bot alert destinations for the same alert, only the alert (and thread) on which action was taken will be updated. Any other Slack Bot messages for that alert will not be updated.
For this reason, it is advised to avoid a Slack Bot alert destination configuration that sends messages for any given alert to more than one channel.

Example: Two Slack Bot alert destinations are configured

Say an alert ID 12345 is sent to both #channel-one and #channel-two.
  • On alert ID 12345 in #channel-one, a user updates the alert status from Open to Triaged. The following actions will result:
    • In the Panther Console, the status of alert ID 12345 is changed to Triaged.
    • In #channel-one, alert ID 12345 shows the status as Triaged, and the thread on that alert is updated to indicate the status change.
  • However, alert ID 12345 in #channel-two is not updated to reflect the new status.
    • This Slack message will still show the alert status as Open and the Slack thread will not have a message indicating the status has changed.