All Posts

Faster Triaging with Slack Bot Boomerangs

Ted Kietzman

Iterating on the Panther Slack Bot

Last month, we announced our Panther Slack Bot – a robust integration that enables security teams to effectively review and take actions on alerts directly from Slack. The Slack Bot has already helped customers streamline their response workflows, removing time-consuming clicks and window switches. However, at Panther, we’re always moving forward – and we’ve already developed a new and notable component of the Slack Bot. 

Phantom Threads & Lost DMs

To set the stage, when triaging alerts from a SIEM, the first few steps involve gathering the right context to properly assess the alert. Is this alert a false positive? Does it require deeper investigation? Oftentimes, these questions are most easily answered by reaching out to the user involved to understand why the alert was triggered. 

However, this process requires a couple extra steps and often creates lost context and phantom Slack DMs. To be clear, it’s not *that* difficult to spin up a new Slack DM to ask John Doe about their actions surrounding the relevant alert. It’s just another click or two. However, the real frustration arises when John’s response isn’t automatically synced to the relevant alert. If the analyst working the alert forgets to manually move the context over, the user’s response exists in a DM somewhere – doomed to fade away into Slack’s memory hole. 

Introducing: Slack Bot Boomerangs

To make gathering relevant context around alerts more seamless, Panther is introducing Slack Bot Boomerangs. After Slack Bot Boomerangs are enabled, security teams can click the Boomerang icon and send an interactive message right from the alert thread in Slack. There is no longer the extra step of creating a one-off DM with the implicated user. The message is customizable and includes the relevant alert details to facilitate a quick user response.

Screenshot of a slack message showing an alert thread with a boomerang icon
Clicking the Boomerang icon enables gathering context from a relevant user.
Screenshot of a Slack dialog box allowing the selection of a recipient, custom message, and checkbox to share event details
Send alert context and a customized message via the Boomerang.

From here, users have the option to confirm the actions detected in the alert or indicate the suspicious activity has occurred. In the case where a user confirms a false positive, alert resolution is accelerated – but there’s the added benefit that user context may help improve the performance of the relevant detection.

Additionally, users can provide written notes regarding the alert. For example, perhaps the user was traveling and triggered a geolocation-based detection, or maybe the user was “on-call” and performed an action they don’t typically perform. The notes can provide deeper insight into the actual behaviors of users.

Screenshot showing a boomerang prompt asking Rob if he logged into an environment showing a response where Rob confirms it's a legitimate activity.
User feedback confirms a false positive in Slack.
Screenshot showing a boomerang prompt asking Rob why he logged into an environment that returned as "Suspicious Activity"
User confirms suspicious activity in Slack.

Finally, and most importantly, Slack Bot Boomerang user context is synced back to the alert in the Panther console. The context is attached to the alert, providing relevant information to collaborators and becoming a historical record. The automated syncing means user responses no longer need to be manually moved between platforms – or potentially forgotten in a Slack Direct Message. By reducing context switching and manual steps involved in triage, Slack Bot Boomerangs will help resolve alerts more quickly and effectively.

Screenshot of the Panther console for this alert showing that both the boomerang prompt and response is synced to alert history
Boomerang context automatically synced back to Panther console.

Conclusion: Relevant Context without the Frustration

At Panther, we’re working hard to improve every day. The Slack Bot Boomerang is the first of many iterations to our alert triage and response workflow. Our goal is to help teams seamlessly retrieve relevant alert context without unnecessary manual work.

By enabling security teams to work effectively in tools like Slack, we hope to reduce constant context-switching and accelerate response & resolution. To incorporate the Panther Slack Bot and Slack Bot Boomerangs into your response workflow – request a demo. Or, for a hands-on experience, try Panther today.