All Posts

Accelerate Response with the Panther Slack Bot

Ted Kietzman

TL;DR: Panther Slack Bot

Here for the headline? Panther is releasing our new Slack Bot. The Slack Bot is a more thorough integration with Slack that enables a much more seamless alert triage, assignment, and collaboration process – accelerating detection & response and reducing MTTR. Once configured, security teams can run their initial response and alert management through Slack – without the need for additional tools.

 

The MTT Metrics

For anyone working in security, the infamous “MTT” or “Mean Time To” metrics are ubiquitous. Detection and Response teams are consistently tasked with calculating and reducing their time to detect, respond, and remediate. In the detection & response workflow, detection is often relatively quick – whereas response and remediation take up much larger portions of time. This is partly because the workflow’s triage, assignment, and initial response components are often cumbersome. They require a convoluted initial information gathering, portal switching, and coordination between teams and tools.

Accelerating MTTR

To expedite this workflow, it would be convenient to bring the security context into the tools where users already work. For example, Slack is a popular, widely adopted messaging and collaboration tool. Users are often active on Slack during working hours and observe the Slack app on their phones during non-working or on-call hours. Active employee engagement makes Slack a perfect hub for timely and real-time collaboration. Many IT & security tools integrate with Slack – to alert users where they spend their time. 

The Pitfalls of Slack Webhooks

Today, a webhook is the most common form of integration with Slack. Webhooks have a few shortcomings. To start, they are constrained to play the role of “ping” or notification, and they are limited in the information they can load into Slack. The alerts inform a user in Slack of something but do little else. Webhook integrations don’t fit seamlessly into a detection & response workflow because there isn’t a lot of context regarding alerts – or a meaningful way to interact with the information received in Slack. To complete response actions, security practitioners are forced to perform a series of new tasks outside of Slack. In the end, a webhook is a double-edged sword – while being informed is nice, a user still has to switch over to the originating tool, login, and review more information in a new portal, then potentially switch tools again to assign and update the alert. 

Secondarily, because Slack webhook alerts don’t maintain a state or become a record, there’s no reason to collaborate in a Slack thread. Even though the alert is being sent to a premier collaboration tool, there is no incentive to collaborate because none of the work or notes from the thread will be preserved effectively as a historical artifact for the alert.

Introducing: The Panther Slack Bot

To address these shortcomings, Panther is releasing our new Slack Bot. Instead of merely notifying security teams of a triggered alert with limited context, the Slack Bot brings much more of the power of Panther into Slack. 

First, there is much more relevant alert detail and triage-enabling context brought over to Slack – with the ability to bring even more over with a simple click or tap. This allows users to assess and triage an alert from Slack more effectively without returning to Panther. 

Screenshot of a Slack message from Panther Bot showing an alert triggered by manual AWS changes.
Use alert context to triage Panther alerts in Slack
Screenshot of a follow-up Slack message showing extended alert context such as number of events, event dates, IP addresses, and raw event data.
Selecting ‘Show Alert Details’ retrieves even more relevant context

Second, Panther users can now effectively take action on an alert from Slack. It is possible to assign the alert to a teammate, update its status and have these actions sync back to Panther. After implementing Panther’s Slack Bot, teams can discard their makeshift emoji triage system that’s often coupled with many clicks back and forth to assign and update alerts. Moreover, the Slack Bot also unlocks the powerful ability to take action on alerts from a mobile device – nullifying the stressful prospect of racing back to a computer.

Slack message showing John Doe exceeding their failed logins threshold.
Assign and Update Alert Status from Slack

Finally, the Slack Bot incentivizes true collaboration in Slack. Since a traditional webhook integration does not sync back to the originating tool – it doesn’t make sense to work in Slack after an alert notification. Slack Bot’s ability to sync back to Panther enables teams to actually triage and work in Slack, further reducing the requirement to switch portals. A powerful component of the Slack Bot is the ability to sync a resolution comment from Slack back to Panther – a succinct mechanism for response teams to provide feedback for and collaborate with detection teams.

Slack thread showing responses to the John Doe alert, the thread shows status changes to Triaged and changes in task assignment.
Collaboration on alerts in Slack
Screenshot of the Panther console showing alert history of the John Doe alert. The history shows status update changes, assignment changes, and a final resolution comment which syncs from Slack.
Alert History synced back to Panther

Conclusion: The Power of Panther in Slack

With the release of the Slack Bot, Panther hopes to accelerate the response workflow by meeting users where they already work. By providing usable context and the ability to take meaningful action, the Slack Bot helps security teams save valuable minutes off their mean-time-to-respond while fostering a place for better real-time collaboration. If you’d like to incorporate the Slack Bot into your response workflow – you can request a demo. Or, for a hands-on experience, try Panther today.