Request a Demo

Activate Security Automation with Alert Context

Share this article:TwitterLinkedIn
Remediate incidents faster and gain better visibility into activity across your environment with context-rich security alerts


Using Panther’s new alert_context() detection function, defenders can include arbitrary data in alerts to more quickly obtain actionable insights about suspicious activity and enable security automation.

For example, by adding the following code to detection that’s analyzing your Okta logs, you can include the actor’s IP address, entity, target, and client as a JSON payload in the alerts:

def alert_context(event):
 return {
 'ips':event.get('p_any_ip_addresses', []),
 'actor': event.get('actor'),
 'target': event.get('target'),
 'client': event.get('client'),


With this additional context, you can triage alerts faster and enable powerful security automation. For example, by sending the above event metadata to a Security Orchestration Automation and Response (SOAR) platform like Tines, you can trigger a Slack-driven remediation workflow that confirms whether the unusual activity was authorized or fraudulent (as described in this blog).

How does this impact you

With the Alert Context function, you can add helpful context to your alerts to:

  • More quickly understand the severity of an incident
  • Activate security automation with a SOAR platform

Get started

Start adding context to your Panther alerts by following our docs. And to learn more about automating incident remediation, watch our on-demand webinar: Taking action on your security alerts with Panther and Tines.

Run Panther

Detect suspicious activity in real-time, transform raw logs into a robust security data lake, and build a world-class security program with Panther.

Please note

This is a widgetized sidebar area and you can place any widget here, as you would with the classic WordPress sidebar.