Using Panther’s new alert_context() detection function, defenders can include arbitrary data in alerts to more quickly obtain actionable insights about suspicious activity and enable security automation.
For example, by adding the following code to detection that’s analyzing your Okta logs, you can include the actor’s IP address, entity, target, and client as a JSON payload in the alerts:
def alert_context(event):
return {
'ips':event.get('p_any_ip_addresses', []),
'actor': event.get('actor'),
'target': event.get('target'),
'client': event.get('client'),
}Code language: Python (python)With this additional context, you can triage alerts faster and enable powerful security automation. For example, by sending the above event metadata to a Security Orchestration Automation and Response (SOAR) platform like Tines, you can trigger a Slack-driven remediation workflow that confirms whether the unusual activity was authorized or fraudulent (as described in this blog).
With the Alert Context function, you can add helpful context to your alerts to:
Start adding context to your Panther alerts by following our docs. And to learn more about automating incident remediation, watch our on-demand webinar: Taking action on your security alerts with Panther and Tines.
