Skip to main content
Panther Knowledge Base

Why did a large number of alerts trigger at the same time from Panther?

  1. Last updated
  2. Save as PDF

Issue

You unexpectedly received a large number of alerts at the same time.

Resolution

To troubleshoot the cause of this issue:

  • Review a few of the triggered alerts to determine if they were for a Policy Failure (as a result of the daily Cloud Security scan) or Rule Match
    • If the alert type is a Rule Match investigate the detection(s) that caused this alert to trigger.
    • If the alert type is a Policy Failure:
      • Investigate the policy that is causing the alert to trigger.
      • Check to see if the excessive alerts were caused by misconfigured regions and resources:
        1. In your Panther Console, go to Integrations > Cloud Accounts.
        2. Click ... on the right side of a cloud account in the list, then click Edit.
        3. Click to expand the Advanced Options. You can exclude AWS Regions, Resource Types, and Resources.
          The "Advanced Options" window displays which AWS Regions to exclude. In this simage, it excludes us-east-1. The window also displays options to Exclude Resource Types and Exclude Resources by Regex.

Cause

This can be caused by:

  • The daily Cloud Security scan running and sending the alerts all at once.
  • Misconfigurations in Policy Detection or Rule Detection Python logic.
  • The concurrent triggering of many alerts can be caused if many policies are updated at the same time. If you performed updates on many different policies, this will trigger the re-scanning of the resources.