Managing Alerts in Slack

View and manage alerts from Slack

Overview

Panther's Slack Bot Alert Destination enables you to view and manage alerts directly from Slack. This includes using the Slack Bot Boomerang to discuss alerts with other Slack users and using Threat Intel to analyze an IP address for threat intelligence.

Managing alerts in Slack

Under a "Panther" title is a red dot next to "High." Below is the text, "User reported a fraudulent Duo 2FA request," as well as buttons like "View in Panther" and a boomerang icon.

A Slack Bot alert contains an Alert Summary, Runbook, and Severity. If you've enabled Panther AI alert triage sync, it may contain an AI alert triage summary.

The Slack Bot alert also has the following options:

  • View in Panther: Open a direct link to the alert in the Panther Console.

  • Set Assignee: Change the assignee of the alert.

  • Update Status: Change the status of the alert to Open, Triaged, Resolved, or Invalid.

  • Show Alert Details: Retrieve detailed information about the alert.

  • See Threat Intel: View threat intelligence for specific attributes on an alert.

  • Boomerang (🪃): Prompt a designated person to provide more information about an alert.

When you set an assignee or update the status, the Slack thread will update with a new reply indicating the change.

Under "View in Panther" and "See Threat Intel" buttons is the text "@Linus assigned the alert to @Auston"

Interactions with the alert within Slack, such as updating the status, setting the assignee, and sending Boomerang messages, will sync back to the Panther Console. The resolution comment when marking an alert as "Resolved" will sync to the alert's Activity thread in the Panther Console.

You can also enable two-way sync for alert status, assignee, and comments. This means that when an alert's status or assignee is changed or a comment is left in the Panther Console (or the Panther API), the changes will sync to the relevant Slack Bot alert(s). Similarly, when alert comments are added from external destinations like Jira, they will also be synced to Slack if two-way comment syncing is enabled.

Three toggles are shown: Two-Way Status Syncing, Two-Way Assignee Syncing, and Two-Way Comment Syncing

Send Boomerang (🪃)

Use the Boomerang feature within a Panther Slack Bot alert to prompt another Slack user for information about the alert, such as justification for activity involving their account.

All Boomerang communications, including questions and responses, will be recorded in a thread on the original alert message in Slack, as well as in the Activity feed on the alert's Details page in the Panther Console.

How to use Slack Bot Boomerang

  1. Within a Panther Slack Bot alert, click 🪃 .

  2. In the Boomerang modal, select a recipient and write a message. The boomerang modal contains a dropdown field for the recipient, and a text field for the message. There are cancel and send buttons.

    • For certain alert types, it's possible to include the JSON of the first event that triggered the alert by selecting Share Event Details with Recipient. There is a checkbox for Share Event Details with Recipient. The beginning of an event's JSON, including an additionalFields key, is shown.

  3. Click 🪃 Send.

    • The recipient will receive your message from the Panther Slack Bot. A Panther Slack Bot message says "Your help has been requested!" The requestor's Slack handle is provided, along with the message or question they sent. There is a textfield for the recipient to write a response. There are two buttons: "Confirm" and "Report Suspicious Activity"

Show Alert Details

Geolocation information (e.g. 🇺🇸 California, USA) for IP Addresses requires the IPInfo Location enrichment provider to be enabled.

  • Click Show Alert Details to view additional details about the alert, including Summary Fields, Event Details, and First Event.

After the information is retrieved, the associated Slack thread is updated:

Slack Bot Threat Intel

The option to See Threat Intel is shown on an alert in Slack if one or more Summary Attribute associated with the alert can be analyzed for threat intelligence (e.g. geographic location, ASN, etc.)

The threat intelligence options shown are dependent on which Enrichment datasets are enabled in your Panther deployment.

How to use Threat Intel

  1. In a Slack alert, click See Threat Intel.

  2. In the prompt that appears, select a value to analyze.

    • After you select a value, the value is automatically analyzed and the available threat intelligence is returned:

Slack Bot Threat Intelligence supported datasets

Slack Bot Threat Intelligence supports utilizing the following datasets:

Two-way comment syncing

Two-way comment syncing is in open beta starting with Panther version 1.115, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

When Two-Way Comment Syncing is set to ON:

  • When you leave a comment within the the alert's Activity section in the Panther Console, the message is synced to the Slack Bot alert's thread.

  • When you send a message in the thread of a Slack Bot alert, the message is synced as a comment within the alert's Activity section in the Panther Console.

    • Comments from both registered Panther users and external Slack users are synced.

      • Comments include the name of the Slack user who posted them.

      • Comments from Slack users not registered in Panther are attributed to the system user, with the original poster's name included.

    • When a comment is edited in Slack, the change syncs to Panther, replacing the previous version.

    • When a message is deleted in Slack, no action is taken in Panther (the comment remains visible).

    • When a file is shared in the Slack Bot thread, the Panther Activity section will display the comment text plus a notification about the attached file.

    • Message formatting from Slack (except code blocks, which are converted to plain text) is preserved in Panther.

    • User mentions and channel links are displayed as raw identifiers (e.g., <@U0949SWJQ6B>) in Panther.

AI alert triage sync (Beta)

Panther AI alert triage syncing to Slack Bot is in open beta starting with Panther version 1.114, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

If Panther AI is enabled in your Panther deployment, an AI-generated alert triage can be automatically added as a reply within the Slack thread associated with the alert. Only the initial AI alert triage, not any follow-up responses, are synced to the Slack Bot thread.

The synced AI triage will contain the following sections:

  • Summary: A concise overview of the alert.

  • Key Findings: Notable patterns, behaviors, or anomalies identified by the AI.

  • Security Implications: Analysis of the potential risk and impact.

  • Recommended Actions: Suggested next steps or mitigations based on the AI's assessment.

  • Panther Console Link: A direct link to view the full AI triage report in the Panther Console.

Under an "AI Analysis" header are "Summary"  and "Key Findings" sub-headers.

To enable this feature, toggle AI Triage Syncing ON in the Slack Bot Alert Destination configuration page in the Panther Console.

To the right of "AI Triage Syncing" text is a toggle set to ON.

Sending an alert to multiple Slack Bot destinations

If you have configured multiple Slack channels as Slack Bot alert destinations for the same alert, when you interact with one Slack Bot alert (e.g., you set an assignee or send a Boomerang message), the other Slack bot alert will be updated (in addition to the change being synced to the Panther Console).

For example, say an alert ID 12345 is sent to both #channel-one and #channel-two. On alert ID 12345 in #channel-one, you update the alert status from Open to Triaged. The following actions will result:

  • In both #channel-one and #channel-two, alert ID 12345 shows the status as Triaged, and the thread on both alerts is updated to indicate the status change.

  • In the Panther Console, the status of alert ID 12345 is changed to Triaged.

Last updated

Was this helpful?