Policy deduplication in Panther for quickly-changing resources

QUESTION

When a resource becomes unhealthy, a policy watching that resource for the issue would fire an alert. What happens to that alert if a resource was misconfigured and then fixed, but then shortly after that it was misconfigured again by accident? Does the alert fire again?

ANSWER

In general, Panther will send an alert for any Policy whose status changes from PASS to FAIL. In the scenario above, there is an extremely low but non-zero possibility that the changes to the resource will happen too quickly for Panther's scanning to notice. In this case, the Policy would not change from FAIL to PASS, so if at the next scan, the resource's state would still FAIL the Policy, then a second alert would not be sent because the Policy would not change from PASS to FAIL (to send an alert). Real-time monitoring helps to reduce the likelihood of that situation even further.

There's also the possibility that a resource fails a policy and sends an alert, and the alert is resolved but the resource isn't fixed. In the Panther Console, the best place to see all failing resources reliably is Investigate > Cloud Resources and filter by Status: FAIL. You can also go to Build > Detections and filter by Detection Types: Policy and Policy Status: FAIL. However, to help you stay notified about unhealthy resources, we raised a feature request to our product team, to have Panther send a second alert in situations like this. For more information about this, please contact Panther support.