Knowledge BaseCommunityRelease NotesTry Panther
Search…
⌃K
Links

Alert Summaries

Overview

Alert Summaries will help you quickly know the answers to the Who , What, Where questions you have when triaging matching events in a rule match.
This feature is useful when a rule has generated large numbers of matching events, making understanding the nature of the threat difficult. The Alert Summaries provide an overview of all of the matching events to avoid having to manually review each event.

Summary Attributes

Adding Summary Attributes

When creating a Rule or Scheduled Rule, you have the option to define Summary Attributes. You can see this option in the lower right corner of the Rule Settings creation form:
When defining the Summary Attributes for a rule, you should pick attributes that will help you understand the nature of an alert at a glance.

Add nested fields as Summary Attributes

To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:
<column>:<level1_element>.<level2_element>.<level3_element>
The alert summary will then be generated for the referenced object in the alert. Learn more about traversing semi-structured data in Snowflake here.

Viewing Summary Attributes

  1. 1.
    In the left sidebar of the Panther Console, click Alerts.
  2. 2.
    Click into an alert.
  3. 3.
    Click the Summary tab.
The Summary tab displays the top five attributes for each declared Summary Attribute.
While viewing the Alert Summary, hover over the alert. A "Copy" icon will appear on the right side so you can copy the attribute value.
For fields that start with p_, you will also see a "Search" icon appear on the right side. Click the "Search" icon to open Indicator Search and view all hits for that attribute in your data lake.

Example

For example, say we have written a rule to find "Sneaky" traffic hitting our load balancer. This rule runs against theAWS.ALB logs. If we pick the Panther standard field p_any_ip_addresses and userAgent, then when we view an alert we can quickly see the top five values in the matching events. This can significantly speed up alert triage.
In this example, the first summary is p_any_ip_addreses. Notice that when you hover over a bar in the summary, a "Copy" icon and a "Search" icon appear. You can copy the attribute value to use in a SQL search or you can quickly pivot to an Indicator Search.
Click the arrow above the chart to navigate to the next summary, and use the "Attribute" dropdown menu in the upper right to select a different attribute.
If a rule does not have any Summary Attributes defined, then summaries will be computed for all the Panther standard p_any fields associated with the target log types.
Previous
Testing
Next
Detection Packs
Last modified 2mo ago