Assigning and Managing Alerts
Manage Alerts in the Panther Console
Last updated
Manage Alerts in the Panther Console
Last updated
Panther's Alert Management feature allows you to assign alerts to Panther users, view an activity history of alert updates, add comments with rich text support, and quickly tune detections—all from the Panther Console.
You can apply the following statuses to alerts while triaging them in Panther:
Open: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
Invalid: Use this to triage noisy alerts that might have been generated in error.
Resolved: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
Triaged: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
By default, the list of alerts on the Alerts page displays only Open and Triaged alerts.
Changing the status of an alert does not reset the deduplication period of the associated rule or scheduled rule. This means, for example, if an alert is marked Resolved
before the deduplication period is complete, and events triggering the alert continue to stream in, they will be associated with the same Resolved
alert, not a new one.
It is possible to update the status or assignee for a group of alerts in bulk.
You can do this via script or API, or in the Panther Console:
To select only the alerts on the current page, check Select All:
By default, the bulk selector will select everything currently loaded on the page.
To select all filtered results (beyond what is currently loaded on the page), click Select all Alerts that match this search.
This will select everything within the filtered results.
Once a mass action is performed using this option, there may be a slight delay in the mass action being completed if you are triaging a large quantity of alerts. Make sure to refresh the page to see the final results of the mass action.
If a Slack Bot Alert Destination is configured, alerts can be viewed and managed directly from Slack:
For more information, see Managing Alerts in Slack.
An Alert Summary showcases the most common values that were found in the alert's events based on the summary attributes you select. The alert summary will help you quickly understand the answers to the Who
, What
, Where
questions you have when triaging matching events in a rule match.
This feature is especially useful when a rule has generated large numbers of matching events, making understanding the nature of the threat difficult. The Alert Summaries provide an overview of all of the matching events to avoid having to manually review each event.
For an example use case, see the Examples section at the bottom of this page.
You can define Summary Attributes when creating a rule or scheduled rule:
When defining the Summary Attributes for a rule, you should pick attributes that will help you understand the nature of an alert at a glance.
In the left-hand navigation bar of your Panther Console, click Alerts.
Click an alert's title to view its details page.
The Summary tab displays the top five attributes for each declared Summary Attribute.
While viewing the Alert Summary, hover over the alert. A "Copy" icon will appear on the right side. Click the icon to copy the attribute value to use in Data Explorer.
For fields that start with p_
, you will also see a "Search" icon appear on the right side. Click the "Search" icon to open Search and view all hits for that attribute in your data lake.
A user with the View Alerts
permission can assign alerts to Panther users. When an alert is assigned, the user receives an email notification indicating the assignment. The email includes a link to open the alert in the Panther Console.
In the left-hand navigation bar of your Panther Console, click Alerts.
A list of alerts will be displayed.
On the right side of an alert in the list, click the Assignee dropdown menu.
Select the user you want to assign the alert to.
You can also assign an alert from the Alert Details page in the Panther Console. The Assignee dropdown menu is located at the top of the page.
In the left-hand navigation bar of your Panther Console, click Alerts.
A list of alerts will be displayed.
On the right side of an alert in the list, click the Assignee dropdown menu. Select Unassigned
from the dropdown.
In the left-hand navigation bar of your Panther Console, click Alerts.
Select the checkbox next to multiple individual alerts, or select the checkbox next to Select All in the upper left corner to select all alerts loaded on the current page.
Only the alerts currently loaded on the page may be assigned at once. If additional alerts match the filter criteria, and a user selects Select all that match this search, the Assignee dropdown will disappear.
At the top of the Alerts list, click the Assignee dropdown menu. Select the person who you want to assign the alerts to.
Panther's Slack Bot Alert Destination enables you to view and manage alerts directly from Slack, including the use of Slack Bot Boomerang and Threat Intel features. See Managing Alerts in Slack for more information.
Panther's Asana Alert Destination includes the ability to sync alert statuses to update the status of any corresponding Asana Tasks.
Panther's Jira Alert Destination includes the ability to sync alert statuses to update the status of any corresponding Jira issues.
In the Panther Console, click Alerts in the left sidebar.
Click into an alert to view its Alerts Details page.
Scroll down to Alert History to view a history of all status changes and comments. The activity is sorted in reverse chronological order, so that the most recent change appears on top.
If the status of an assigned alert is changed, the assignee will receive an email notification with details of the change, with a link to open the alert in the Panther Console.
Users with the Manage Alerts
permission can add rich text comments to alerts from the Alerts Details page. Text formatting is supported for bold, italics, lists, code blocks, quote blocks, and hyperlinks. User mentions and modifying or deleting comments are currently unsupported.
The syntax and formatting output is detailed below.
Syntax:
Formatting result from the syntax above:
You can quickly tune the rule that triggered an alert directly from the alert itself, by adding Rule Filters. This is particularly helpful if the alert is a false positive, and you'd like to tune the triggered detection so it won't match on similar events in the future. See Add filters from an alert event for instructions.
Note that quick detection tuning from alerts is available only within alerts triggered by rules, not policies nor scheduled rules.
For example, say we have written a rule to find "Sneaky" traffic hitting our load balancer. This rule runs against theAWS.ALB
logs. If we pick the Panther standard field p_any_ip_addresses
and userAgent
, then when we view an alert we can quickly see the top five values in the matching events. This can significantly speed up alert triage.
In this example, the first summary is p_any_ip_addreses
. Notice that when you hover over a bar in the summary, a "Copy" icon and a "Search" icon appear. You can copy the attribute value to use in a SQL search or you can quickly pivot to Search.
Click the arrow above the chart to navigate to the next summary, and use the "Attribute" dropdown menu in the upper right to select a different attribute.
If a rule does not have any Summary Attributes defined, then summaries will be computed for all the Panther standard p_any
fields associated with the target log types.
Click the Summary tab.