Learn how to craft high-value alerts in Panther that trigger robust remediation workflows in the industry’s leading no-code security automation platform, Tines.

1. Taking Action on Your Security Alerts

2. Today’s Speakers
Jack Naglieri
Founder, CEO
Thomas Kinsella
Co-Founder, COO
8+ years in Detection and Response
Ex-Airbnb and Yahoo
Co-creator of StreamAlert
8+ years in Security Operations
Ex-DocuSign and eBay

3. Security teams must leverage automation
to keep up with continuously growing
attack surfaces and data volumes
The Problem

4. Teams can utilize Panther for security
analytics and Tines for automated security
response at cloud-scale
A Path Forward

5. ● Keep your team focused
● Avoid team burnout
● Modular, repeatable, tailored
● Scalable! Built for the cloud
Benefits of this Approach

6. Automating Detection and Response
Collect
Parse, normalize,
and store for
analytics
Detect
Apply real-time
Python detections
on logs
Alert
Fire off alerts to
Tines for automated
response and triage
Respond
Ping users for more
information, hit
external APIs, take
automated action
Investigate
Only triage and
investigate high-
confident alerts

7. 01
Scenario 1
SSO Monitoring

8. Scenario 1: Monitor admin assignment in Okta

9. Scenario 1 - Collect the Logs

10. Scenario 1 - Collect the Logs

11. Scenario 1 - Normalize

12. Scenario 1 - Understand the Logs

13. Scenario 1 - Write a Detection
Detection Logic
Alerting and
Grouping

14. Scenario 1 - Activity

15. Scenario 1 - Initial Alert

16. Scenario 1 - Responding to Alerts
Incoming Alerts

17. Scenario 1 - Responding to Alerts

18. ● Pass Alert Context
● Parameterized
requests
● Shared API
credentials
● Templates for 150+
tools, but trivial to
edit to make your
own calls
Scenario 1 - Configuring Stories

19. Scenario 1 - Analyzing API Responses

20. Scenario 1 - Ping Users

21. Scenario 1 - Create a Case

22. Scenario 1 - Recap
● Flexible Detections
● Data Lake for Analytics
● Get context on initial signal with VirusTotal
● Ping employees to validate activity
● Automate remediation and containment
● Create repeatable Stories and workflows

23. 02
Scenario 2
Alert Post-Processing

24. Scenario 2: Alert Enrichment and Post-Processing

25. Scenario 2 - Initial Alert

26. Scenario 2 - Initial Alert

27. Scenario 2 - Alert Context

28. Scenario 2 - Enrichment

29. Scenario 2 - Data Schemas
● Panther normalizes data based on a schema
● Enables detection, analytics, and storage
● YML declaration in the UI

30. Scenario 2 - Post-Processing

31. Scenario 2 - Alert

32. Scenario 2 - Searching Data

33. Scenario 2 - Recap
● Flag initial activity
● Send to Tines for automating lookups
● Use a repeatable ‘Send to Story’ to analyze IP
● Feedback into Panther via S3
● Post-process with Python
● Store in SQL for a history of records

34. 03
Wrapping Up

35. Automate all of the things!
● High-scale data processing and analytics
● Detections as Code
● Automated Response
● Plug into commonly used security APIs
● Kick-start your investigations
● Tailored to fit your needs
● Flexible deployments
Better Together

36. Get Started
Join Panther & Tines Community
We can't wait to see what you build!
slack.runpanther.io
github.com/panther-labs/panther
sales@runpanther.io
tines.io/slack
tines.io/community-edition
sales@tines.io

37. Be sure to check out our
blog.runpanther.io!

38. 04
Q & A

39. Thank You