Managing Alerts in Slack

View and manage alerts from Slack

Overview

Panther's Slack Bot Alert Destination enables you to view and manage alerts directly from Slack. This includes using the Slack Bot Boomerang to discuss alerts with other Slack users and using Threat Intel to analyze an IP address for threat intelligence.

Managing alerts in Slack

Under a "Panther" title is a red dot next to "High." Below is the text, "User reported a fraudulent Duo 2FA request," as well as buttons like "View in Panther" and a boomerang icon.

A Slack Bot alert contains an Alert Summary, Runbook, and Severity. If you've enabled Panther AI alert triage sync, it may contain an AI alert triage summary.

The Slack Bot alert also has the following options:

  • View in Panther: Open a direct link to the alert in the Panther Console.

  • Set Assignee: Change the assignee of the alert.

  • Update Status: Change the status of the alert to Open, Triaged, Resolved, or Invalid.

  • Show Alert Details: Retrieve detailed information about the alert.

  • See Threat Intel: View threat intelligence for specific attributes on an alert.

  • Boomerang (🪃): Prompt a designated person to provide more information about an alert.

When you set an assignee or update the status, the Slack thread will update with a new reply indicating the change.

Interactions with the alert within Slack, such as updating the status, setting the assignee, and sending Boomerang messages, will sync back to the Panther Console. The resolution comment when marking an alert as "Resolved" will sync to Panther's Alert Activity History.

It's also possible to enable two-way sync for alert status and assignee. This means that when an alert's status or assignee is changed in the Panther Console (or the Panther API), the change will sync to the relevant Slack Bot alert(s).

Two toggles are shown: Two-Way Status Syncing and Two-Way Assignee Syncing

Send Boomerang (🪃)

Use the Boomerang feature within a Panther Slack Bot alert to prompt another Slack user for information about the alert, such as justification for activity involving their account.

All Boomerang communications, including questions and responses, will be recorded in a thread on the original alert message in Slack, as well as in the Alert History feed on the alert's Details page in the Panther Console.

How to use Slack Bot Boomerang

  1. Within a Panther Slack Bot alert, click 🪃 .

  2. In the Boomerang modal, select a recipient and write a message.

    • For certain alert types, it's possible to include the JSON of the first event that triggered the alert by selecting Share Event Details with Recipient.

  3. Click 🪃 Send.

    • The recipient will receive your message from the Panther Slack Bot.

Show Alert Details

Geolocation information (e.g. 🇺🇸 California, USA) for IP Addresses requires the IPInfo Location enrichment provider to be enabled.

  • Click Show Alert Details to view additional details about the alert, including Summary Fields, Event Details, and First Event.

After the information is retrieved, the associated Slack thread is updated:

Slack Bot Threat Intel

The option to See Threat Intel is shown on an alert in Slack if one or more Summary Attribute associated with the alert can be analyzed for threat intelligence (e.g. geographic location, ASN, etc.)

The threat intelligence options shown are dependent on which Enrichment datasets are enabled in your Panther deployment.

How to use Threat Intel

  1. In a Slack alert, click See Threat Intel.

  2. In the prompt that appears, select a value to analyze.

    • After you select a value, the value is automatically analyzed and the available threat intelligence is returned:

Slack Bot Threat Intelligence supported datasets

Slack Bot Threat Intelligence supports utilizing the following datasets:

AI alert triage sync (Beta)

Panther AI alert triage syncing to Slack Bot is in open beta starting with Panther version 1.114, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

If Panther AI is enabled in your Panther deployment, an AI-generated alert triage can be automatically added as a reply within the Slack thread associated with the alert. Only the initial AI alert triage, not any follow-up responses, are synced to the Slack Bot thread.

The synced AI triage will contain the following sections:

  • Summary: A concise overview of the alert.

  • Key Findings: Notable patterns, behaviors, or anomalies identified by the AI.

  • Security Implications: Analysis of the potential risk and impact.

  • Recommended Actions: Suggested next steps or mitigations based on the AI's assessment.

  • Panther Console Link: A direct link to view the full AI triage report in the Panther Console.

Under an "AI Analysis" header are "Summary"  and "Key Findings" sub-headers.

To enable this feature, toggle AI Triage Syncing ON in the Slack Bot Alert Destination configuration page in the Panther Console.

To the right of "AI Triage Syncing" text is a toggle set to ON.

Sending an alert to multiple Slack Bot destinations

If you have configured multiple Slack channels as Slack Bot alert destinations for the same alert, when you interact with one Slack Bot alert (e.g., you set an assignee or send a Boomerang message), the other Slack bot alert will be updated (in addition to the change being synced to the Panther Console).

For example, say an alert ID 12345 is sent to both #channel-one and #channel-two. On alert ID 12345 in #channel-one, you update the alert status from Open to Triaged. The following actions will result:

  • In both #channel-one and #channel-two, alert ID 12345 shows the status as Triaged, and the thread on both alerts is updated to indicate the status change.

  • In the Panther Console, the status of alert ID 12345 is changed to Triaged.

Last updated

Was this helpful?