Receiving a high severity alert in Panther for a detection that has low severity

Issue

Why am I receiving a high severity alert in my Panther Console for a detection that has been configured with low severity?

Resolution

To troubleshoot, perform the following steps:

1. Log in to your Panther Console and navigate to your Alerts.
2. Locate the alert that you want to investigate and check for the Rule field that appears just under the name of the alert.
   • This will help you identify which rule has triggered each alert.
3. Click on the Rule field in order to check the rule configuration. Look at the upper right of your screen and locate the severity of the rule. 
   • If the severity of the rule does not match what you received in your alert, check to see whether there are detections with similar names that may have triggered the alert: Navigate to Build > Detections and then start typing the name of the detection.
   • An example of this is that there are three different rules named "AWS GuardDuty <> Severity Finding" in Panther:
     • AWS GuardDuty Medium Severity Finding
     • AWS GuardDuty High Severity Finding
     • AWS GuardDuty Low Severity Finding

Cause

The most probable explanation for this behavior is that there are different detections configured in your Panther Console, each of them having a different severity, but with similar titles.