Alert Summaries will help you quickly know the answers to the
Wherequestions you have when triaging matching events in a rule match.
This feature is useful when a rule has generated large numbers of matching events, making understanding the nature of the threat difficult. The Alert Summaries provide an overview of all of the matching events to avoid having to manually review each event.
When creating a Rule or Scheduled Rule, you have the option to define
Summary Attributes. You can see this option in the lower right corner of the Rule Settings creation form:
When defining the Summary Attributes for a rule, you should pick attributes that will help you understand the nature of an alert at a glance.
To use a nested field as a summary attribute, use the Snowflake dot notation in the Summary Attribute field to traverse a path in a JSON object:
- 1.In the left sidebar of the Panther Console, click Alerts.
- 2.Click into an alert.
- 3.Click the Summary tab.
Summarytab displays the top five attributes for each declared Summary Attribute.
While viewing the Alert Summary, hover over the alert. A "Copy" icon will appear on the right side so you can copy the attribute value.
For example, say we have written a rule to find "Sneaky" traffic hitting our load balancer. This rule runs against the
AWS.ALBlogs. If we pick the Panther standard field
userAgent, then when we view an alert we can quickly see the top five values in the matching events. This can significantly speed up alert triage.
In this example, the first summary is
p_any_ip_addreses. Notice that when you hover over a bar in the summary, a "Copy" icon and a "Search" icon appear. You can copy the attribute value to use in a SQL search or you can quickly pivot to an Indicator Search.
Click the arrow above the chart to navigate to the next summary, and use the "Attribute" dropdown menu in the upper right to select a different attribute.
If a rule does not have any Summary Attributes defined, then summaries will be computed for all the Panther standard
p_anyfields associated with the target log types.