Wherequestions when triaging matching events in a rule alert. This feature is extremely useful when a rule has generated large numbers of matching events making understanding the nature of the threat(s) difficult. The alert summaries provide a view over all of the matching events that are often sufficient to avoid manually reviewing each event individually.
Summary Attributes(see lower right corner). When displaying an alert there is a
Summarytab. Selecting the
Summarytab will display the top five attributes for each declared Summary Attribute. You should pick attributes that will help you understand the nature of an alert at a glance.
AWS.ALBlogs. If we pick the Panther standard field
userAgent, then when we view an alert we can quickly see the top five values in the matching events. This can significantly speed up alert triage.
p_any_ip_addreses. Notice that when you click on a bar a
Copyicon displays. Copying the attribute of interest can be very handy. For example, to paste into Indicator Search and view all hits for that attribute in your data lake.
Summary Attributesdefined, then summaries will be computed for all the Panther standard
p_anyfields associated with the target log types.