I'm using a detection that fires an alert when a document is shared outside my organization. Lately it's been sending a lot of alerts, but in the log data for those alerts, the values in the
p_any_usernames field mostly only include one of our internal domains.
To resolve this issue, you may need to clone and modify the detection to include or exclude a domain name from the list of allowed domains.
For example, in this detection, the "Operation" is "AddedToSecureLink", and when this detection sees a log with that operation type, it checks the
SourceRelativeUrl to make sure it's allowed. You can adjust your
ALLOWED_PATHS variable in that detection to allow the things being shared. If you have any questions about how to do this, please contact Panther Support.
This issue can occur when the detection's list of allowed domains does not include all of the domains that the organization considers friendly.