Activate Security Automation with Alert Context

Remediate incidents faster and gain better visibility into activity across your environment with context-rich security alerts

What

Using Panther’s new alert_context() detection function, defenders can include arbitrary data in alerts to more quickly obtain actionable insights about suspicious activity and enable security automation.

For example, by adding the following code to detection that’s analyzing your Okta logs, you can include the actor’s IP address, entity, target, and client as a JSON payload in the alerts:

def alert_context(event):
 return {
 'ips':event.get('p_any_ip_addresses', []),
 'actor': event.get('actor'),
 'target': event.get('target'),
 'client': event.get('client'),
 }Code language: Python (python)

Why

With this additional context, you can triage alerts faster and enable powerful security automation. For example, by sending the above event metadata to a Security Orchestration Automation and Response (SOAR) platform like Tines, you can trigger a Slack-driven remediation workflow that confirms whether the unusual activity was authorized or fraudulent (as described in this blog).

How does this impact you

With the Alert Context function, you can add helpful context to your alerts to:

  • More quickly understand the severity of an incident
  • Activate security automation with a SOAR platform

Get started

Start adding context to your Panther alerts by following our docs. And to learn more about automating incident remediation, watch our on-demand webinar: Taking action on your security alerts with Panther and Tines.

Table of Contents

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo