Why did a large number of alerts trigger at the same time from Panther?
Issue
You unexpectedly received a large number of alerts at the same time.
Resolution
To troubleshoot the cause of this issue:
- Review a few of the triggered alerts to determine if they were for a Policy Failure (as a result of the daily Cloud Security scan) or Rule Match.
- If the alert type is a Rule Match investigate the detection(s) that caused this alert to trigger.
- If the alert type is a Policy Failure:
- Investigate the policy that is causing the alert to trigger.
- Check to see if the excessive alerts were caused by misconfigured regions and resources:
- In your Panther Console, go to Integrations > Cloud Accounts.
- Click ... on the right side of a cloud account in the list, then click Edit.
- Click to expand the Advanced Options. You can exclude AWS Regions, Resource Types, and Resources.
Cause
This can be caused by:
- The daily Cloud Security scan running and sending the alerts all at once.
- Misconfigurations in Policy Detection or Rule Detection Python logic.
- The concurrent triggering of many alerts can be caused if many policies are updated at the same time. If you performed updates on many different policies, this will trigger the re-scanning of the resources.