QUESTION

In Panther, the p_rule_reports field contains MITRE techniques, which we use to track coverage across our rules. How can I send p_rule_reports to a custom webhook alert destination without using alert_context, as that would require modifying every rule, including managed ones?

ANSWER

Panther doesn’t currently support sending p_rule_reports to a webhook alert destination unless it is added manually using the alert_context function in each detection. See the fields included in a webhook destination event here.

A workaround is to use Panther’s REST API to pull MITRE mappings for each rule and update your JIRA tickets automatically. This allows you to track MITRE techniques without modifying each rule individually.

See an example API call and response in the screenshot below: