How can I find our peak number of triggered rule and policy alerts per second in Panther?

Rules

To determine your maximum number of rule-alerts-created-per-second, run a SQL query similar to the following in Panther’s Data Explorer:

WITH rule_matches AS (
SELECT
   p_event_time as p_timeline,
   p_alert_id as alert_id,
   p_alert_creation_time,
   p_log_type

FROM
   panther_rule_matches.public.aws_cloudtrail
WHERE
   p_occurs_between('2024-02-27 23:46:57Z','2024-03-28 23:46:57Z')

UNION ALL

SELECT
   p_event_time as p_timeline,
   p_alert_id as alert_id,
   p_alert_creation_time,
   p_log_type

FROM
   panther_rule_matches.public.aws_vpcdns
WHERE
   p_occurs_between('2024-02-27 23:46:57Z','2024-03-28 23:46:57Z')

)

select
p_alert_creation_time
, count(distinct alert_id) as distinct_alert_ids
, count(1) as rule_match_count
, count(distinct p_log_type) as distinct_log_types

from rule_matches

group by p_alert_creation_time

order by distinct_alert_ids desc

limit 99

• Please make sure to replace the table value: panther_rule_matches.public.aws_cloudtrail with the one containing the log type you're searching for. Also adjust the p_occurs_between date ranges as needed.
• If your instance contains panther_views.public.all_rule_matches, there's no need to union the tables. You could instead adjust the query with p_log_type like 'AWS.%' or something similar to search for alerts from all log types from AWS or any other source.

Policies

Please contact the Panther Support team to determine the maximum number of policy-alerts-created-per-second.