Why am I receiving a high severity alert in my Panther Console for a detection that has been configured with low severity?
To troubleshoot, perform the following steps:
- Log in to your Panther Console and navigate to your Alerts.
- Locate the alert that you want to investigate and check for the Rule field that appears just under the name of the alert.
- This will help you identify which rule has triggered each alert.
- Click on the Rule field in order to check the rule configuration. Look at the upper right of your screen and locate the severity of the rule.
- If the severity of the rule does not match what you received in your alert, check to see whether there are detections with similar names that may have triggered the alert: Navigate to Build > Detections and then start typing the name of the detection.
- An example of this is that there are three different rules named "AWS GuardDuty <> Severity Finding" in Panther:
The most probable explanation for this behavior is that there are different detections configured in your Panther Console, each of them having a different severity, but with similar titles.