Managing Alerts in Slack

Overview

Panther's enables you to view and manage alerts directly from Slack. This includes using the Slack Bot Boomerang to discuss alerts with other Slack users and using Threat Intel to analyze an IP address for threat intelligence.

Managing alerts in Slack

An alert in Slack contains an Alert Summary, Runbook, and Severity, as well as the following options:

• View in Panther: Open a direct link to the alert in the Panther Console.

• Set Assignee: Change the assignee of the alert.

• Update Status: Change the status of the alert to Open, Triaged, Resolved, or Invalid.

• Show Alert Details: Retrieve detailed information about the alert.

  • See below for more information.

• See Threat Intel: View threat intelligence for specific attributes on an alert.

  • See below for more information.

• Boomerang (🪃): Prompt a designated person to provide more information about an alert.

  • See below for more information.

When you set an assignee or update the status, the Slack thread will update with a new reply indicating the change.

Interactions with the Alert within Slack, such as updating the status, setting the assignee, and sending Boomerang messages, will sync back to the Panther Console. In addition, the resolution comment when marking an alert as "Resolved" will sync to Panther's Alert Activity History. Note that this is a one-way sync; changes made to these alerts in the Panther Console will not sync back to Slack.

Send Boomerang (🪃)

Use the Boomerang feature within a Panther Slack Bot alert to prompt another Slack user for information about the alert, such as justification for activity involving their account.

All Boomerang communications, including questions and responses, will be recorded in a thread on the original alert message in Slack, as well as in the Alert History feed on the alert's Details page in the Panther Console.

How to use Slack Bot Boomerang

3. Click 🪃 Send.

Show Alert Details

• Click Show Alert Details to view additional details about the alert, including Summary Fields, Event Details, and First Event.

After the information is retrieved, the associated Slack thread is updated:

Slack Bot Threat Intel

The option to See Threat Intel is shown on an alert in Slack if one or more Summary Attribute associated with the alert can be analyzed for threat intelligence (e.g. geographic location, ASN, etc.)

How to use Threat Intel

Slack Bot Threat Intelligence supported datasets

Slack Bot Threat Intelligence supports utilizing the following datasets:

• • Location

  • ASN

Using multiple Slack Bot alert destinations

When you interact with a Slack Bot alert (e.g., set an assignee or send a Boomerang message), changes are reflected in the Panther Console, as well as in a thread on the alert message itself. However, if multiple channels have been configured as Slack Bot alert destinations for the same alert, only the alert (and thread) on which action was taken will be updated. Any other Slack Bot messages for that alert will not be updated.

For this reason, it is advised to avoid a Slack Bot alert destination configuration that sends messages for any given alert to more than one channel.

Example: Two Slack Bot alert destinations are configured

Say an alert ID 12345 is sent to both #channel-one and #channel-two.

• On alert ID 12345 in #channel-one, a user updates the alert status from Open to Triaged. The following actions will result:

  • In the Panther Console, the status of alert ID 12345 is changed to Triaged.

  • In #channel-one, alert ID 12345 shows the status as Triaged, and the thread on that alert is updated to indicate the status change.

• However, alert ID 12345 in #channel-two is not updated to reflect the new status.

  • This Slack message will still show the alert status as Open and the Slack thread will not have a message indicating the status has changed.