Last month, we announced our Panther Slack Bot – a robust integration that enables security teams to effectively review and take actions on alerts directly from Slack. The Slack Bot has already helped customers streamline their response workflows, removing time-consuming clicks and window switches. However, at Panther, we’re always moving forward – and we’ve already developed a new and notable component of the Slack Bot.
To set the stage, when triaging alerts from a SIEM, the first few steps involve gathering the right context to properly assess the alert. Is this alert a false positive? Does it require deeper investigation? Oftentimes, these questions are most easily answered by reaching out to the user involved to understand why the alert was triggered.
However, this process requires a couple extra steps and often creates lost context and phantom Slack DMs. To be clear, it’s not *that* difficult to spin up a new Slack DM to ask John Doe about their actions surrounding the relevant alert. It’s just another click or two. However, the real frustration arises when John’s response isn’t automatically synced to the relevant alert. If the analyst working the alert forgets to manually move the context over, the user’s response exists in a DM somewhere – doomed to fade away into Slack’s memory hole.
To make gathering relevant context around alerts more seamless, Panther is introducing Slack Bot Boomerangs. After Slack Bot Boomerangs are enabled, security teams can click the Boomerang icon and send an interactive message right from the alert thread in Slack. There is no longer the extra step of creating a one-off DM with the implicated user. The message is customizable and includes the relevant alert details to facilitate a quick user response.
From here, users have the option to confirm the actions detected in the alert or indicate the suspicious activity has occurred. In the case where a user confirms a false positive, alert resolution is accelerated – but there’s the added benefit that user context may help improve the performance of the relevant detection.
Additionally, users can provide written notes regarding the alert. For example, perhaps the user was traveling and triggered a geolocation-based detection, or maybe the user was “on-call” and performed an action they don’t typically perform. The notes can provide deeper insight into the actual behaviors of users.
Finally, and most importantly, Slack Bot Boomerang user context is synced back to the alert in the Panther console. The context is attached to the alert, providing relevant information to collaborators and becoming a historical record. The automated syncing means user responses no longer need to be manually moved between platforms – or potentially forgotten in a Slack Direct Message. By reducing context switching and manual steps involved in triage, Slack Bot Boomerangs will help resolve alerts more quickly and effectively.
At Panther, we’re working hard to improve every day. The Slack Bot Boomerang is the first of many iterations to our alert triage and response workflow. Our goal is to help teams seamlessly retrieve relevant alert context without unnecessary manual work.
By enabling security teams to work effectively in tools like Slack, we hope to reduce constant context-switching and accelerate response & resolution. To incorporate the Panther Slack Bot and Slack Bot Boomerangs into your response workflow – request a demo.
