How can I get a list of all Panther detections that triggered an alert to Slackbot within a specific timeframe?

Last updated: September 3, 2024

QUESTION

How can I get a list of all detections that triggered an alert to the Slackbot within a specific timeframe?

ANSWER

To do this:

  1. Track Slack outputIds along with OK Status Codes for every alert based on your filters.

  2. Review the delivery of each alert's Alert Destination and compare the Status Code with the outputId of their known Slack Destinations.

    1. For example, you have SlackDestA, SlackDestB, and SlackDestC. For every alert, you will need to examine the following: deliveries {dispatchedAt, statusCode, outputId}

  3. Copy the destinationID from the Alert Destinations page for your Slack destination(s). 

    slackdest.png

    • By using a ListAlerts query similar to the example below, the destinationID will be matched with the outputId if the alert was sent to that destination, specifically Slack.

  4. An alert will be successfully sent to the destination if the statusCode is within the range of 200 and 299 (2XX).

    • In outputId, we are specifically looking for the outputId of SlackDest A, B, and C, and then verifying if it has a successful status code.

List alerts example from Step 3:

query ListAlerts {
  alerts(
    input: {
      pageSize: 50,
      severities: [INFO, LOW, MEDIUM, HIGH, CRITICAL],
      createdAtAfter: "2023-09-13T17:45:00.000Z",
      createdAtBefore: "2023-09-18T17:45:00.000Z"
    }
  ) {
    edges {
      node {
        id
        title
        deliveries {
          dispatchedAt
          statusCode
          outputId
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}