Error "We've noticed an unusually high number of alerts for the time frame you've selected" when viewing the Overview Dashboard in Panther

Last updated
Save as PDF

Issue

The Dashboard Overview page in the Panther Console isn't populating, and displays the following message:

"We've noticed an unusually high number of alerts for the time frame you've selected"

Resolution

To resolve this issue:

Set a smaller time frame for the Dashboard. To do this, click the date picker in the upper right corner on that page.

You can also find alert data with these alternate methods:

SQL query in Data Explorer

Use the following query to find the number of Alerts by Log Source, Log Type, and Severity:

SELECT p_source_label, p_log_type, p_alert_severity, COUNT(DISTINCT(p_alert_id)) AS number_of_alerts
FROM panther_views.public.all_rule_matches
WHERE p_occurs_since('1 week')
GROUP BY p_source_label, p_log_type, p_alert_severity
ORDER BY number_of_alerts DESC
LIMIT 100

API Calls to get your OPEN Alerts

1. Obtain your unique User ID:

query all_users {
    users {
      id,
      givenName,
      familyName,
      email
    }
  }

2. Pull your open alerts:

query FirstPageOfMyAlerts {
    alerts(input: { 
      createdAtAfter: "2023-02-21T00:00:00.000Z",
      createdAtBefore: "2023-02-28T00:00:00.000Z",
      statuses:OPEN,
      assigneeIds:"Your ID"
    }) {
      edges {
        node { # you can ask for more alert-related fields here
          id
          title
          severity
          status
        }
      }
      pageInfo {
        hasNextPage
        endCursor
      }
    }
  }

For more information about Panther's API, check out "How to use Panther's API" in our docs.

Cause

This issue occurs when a lot of alerts are triggered within a short timeframe or a large time range is chosen in the date picker that includes too many alerts to display.