Skip to main content
Panther Knowledge Base

How to create a link to Indicator Search from a Panther detection and include it in alerts

  1. Last updated
  2. Save as PDF

QUESTION

How do I create a link to an Indicator Search query from within a detection, and add this to the detection's Alert Runbook? This way, when a detection is fired, I can more quickly find additional context about the event that triggered the alert.

ANSWER

The Runbook can only contain static information and can only be edited on Rules and Scheduled rules, but you can include dynamic information in an alert using the alert_context() function, which populates the Alert Context field when a detection is fired.

To link to Indicator search, you can:

  1. Craft a query in your detection. 
  2. Send it to Panther via GQL.
  3. Put the query ID of that query in the alert_context() function as mentioned above. 

For more information about this kind of query, please see this page, especially the section and tab, "Executing queries" > "Executing an Indicator Search query". Please note that query results are limited to 100MB when using the API this way.


To simplify your detection code further, copy the raw generated SQL from Panther, convert it to Python in a helper function, and import that helper into your detection.