Managing Alerts in Slack

View and manage alerts from Slack

Overview

Panther's Slack Bot Alert Destination enables you to view and manage alerts directly from Slack. This includes using the Slack Bot Boomerang to discuss alerts with other Slack users and using Threat Intel to analyze an IP address for threat intelligence.

Managing alerts in Slack

An alert in Slack contains an Alert Summary, Runbook, and Severity, as well as the following options:

View in Panther: Open a direct link to the alert in the Panther Console.
Set Assignee: Change the assignee of the alert.
Update Status: Change the status of the alert to Open, Triaged, Resolved, or Invalid.
Show Alert Details: Retrieve detailed information about the alert.
- See Show Alert Details below for more information.
See Threat Intel: View threat intelligence for specific attributes on an alert.
- See Slack Bot Threat Intel below for more information.
Boomerang (🪃): Prompt a designated person to provide more information about an alert.
- See Send Boomerang below for more information.

When you set an assignee or update the status, the Slack thread will update with a new reply indicating the change.

Interactions with the Alert within Slack, such as updating the status, setting the assignee, and sending Boomerang messages, will sync back to the Panther Console. In addition, the resolution comment when marking an alert as "Resolved" will sync to Panther's Alert Activity History. Note that this is a one-way sync; changes made to these alerts in the Panther Console will not sync back to Slack.

Send Boomerang (🪃)

Use the Boomerang feature within a Panther Slack Bot alert to prompt another Slack user for information about the alert, such as justification for activity involving their account.

All Boomerang communications, including questions and responses, will be recorded in a thread on the original alert message in Slack, as well as in the Alert History feed on the alert's Details page in the Panther Console.

How to use Slack Bot Boomerang

Within a Panther Slack Bot alert, click 🪃 .
In the Boomerang modal, select a recipient and write a message.
- For certain alert types, it's possible to include the JSON of the first event that triggered the alert by selecting Share Event Details with Recipient.
Click 🪃 Send.
- The recipient will receive your message from the Panther Slack Bot.

Show Alert Details

Geolocation information (e.g. 🇺🇸 California, USA) for IP Addresses requires the IPInfo Location enrichment provider to be enabled.

Click Show Alert Details to view additional details about the alert, including Summary Fields, Event Details, and First Event.

After the information is retrieved, the associated Slack thread is updated:

Slack Bot Threat Intel

The option to See Threat Intel is shown on an alert in Slack if one or more Summary Attribute associated with the alert can be analyzed for threat intelligence (e.g. geographic location, ASN, etc.)

The threat intelligence options shown are dependent on which Enrichment datasets are enabled in your Panther deployment.

How to use Threat Intel

In a Slack alert, click See Threat Intel.
In the prompt that appears, select a value to analyze.
- After you select a value, the value is automatically analyzed and the available threat intelligence is returned:

Slack Bot Threat Intelligence supported datasets

Slack Bot Threat Intelligence supports utilizing the following datasets:

IPInfo
- Location
- ASN
GreyNoise
- Noise (Basic or Advanced)
- RIOT (Basic or Advanced)
TOR Exit Nodes

Threat Intel Examples

IPInfo and GreyNoise Advanced datasets identifying the GoogleBot

In this example, IPinfo provided IP and ASN information, and GreyNoise reported the IP as being benign.

IPinfo and Greynoise Advanced datasets identifying a malicious IP address

In this example, IPinfo provided IP and ASN information, and GreyNoise reported the IP address as malicious.

Using multiple Slack Bot alert destinations

When you interact with a Slack Bot alert (e.g., set an assignee or send a Boomerang message), changes are reflected in the Panther Console, as well as in a thread on the alert message itself. However, if multiple channels have been configured as Slack Bot alert destinations for the same alert, only the alert (and thread) on which action was taken will be updated. Any other Slack Bot messages for that alert will not be updated.

For this reason, it is advised to avoid a Slack Bot alert destination configuration that sends messages for any given alert to more than one channel.

Example: Two Slack Bot alert destinations are configured

Say an alert ID 12345 is sent to both #channel-one and #channel-two.

On alert ID 12345 in #channel-one, a user updates the alert status from Open to Triaged. The following actions will result:
- In the Panther Console, the status of alert ID 12345 is changed to Triaged.
- In #channel-one, alert ID 12345 shows the status as Triaged, and the thread on that alert is updated to indicate the status change.
However, alert ID 12345 in #channel-two is not updated to reflect the new status.
- This Slack message will still show the alert status as Open and the Slack thread will not have a message indicating the status has changed.

PreviousAssigning and Managing Alerts NextAlert Runbooks

Last updated 22 hours ago