QUESTION

How do I create a link to a Panther Search query from within a detection, and add this to the detection's Alert Runbook? This way, when a detection is fired, I can more quickly find additional context about the event that triggered the alert.

ANSWER

The Runbook can only contain static information and can only be edited on Rules and Scheduled rules, but you can include dynamic information in an alert using the alert_context() function, which populates the Alert Context field when a detection is fired.

To link to Search, you can:

  1. Craft a query in your detection. 

  2. Send it to Panther via GQL.

  3. Put the query ID of that query in the alert_context() function as mentioned above. 

For more information about this kind of query, please see the API data lake queries documentation. Please note that query results are limited to 100MB when using the API this way.


To simplify your detection code further, copy the raw generated SQL from Panther, convert it to Python in a helper function, and import that helper into your detection.