Skip to main content
Panther Knowledge Base

Why did a large number of alerts trigger at the same time from Panther?

Issue

You unexpectedly received a large number of alerts at the same time.

Resolution

To troubleshoot the cause of this issue:

  • Verify whether these alerts came in as a result of the daily Cloud Security scan or from the Python detections matching.
    • To prevent excessive alerts caused by misconfigured regions and resources:
      1. In your Panther Console, go to Integrations > Cloud Accounts.
      2. Click ... on the right side of a cloud account in the list, then click Edit.
      3. Click to expand the Advanced Options. You can exclude AWS Regions, Resource Types, and Resources.
        The "Advanced Options" window displays which AWS Regions to exclude. In this simage, it excludes us-east-1. The window also displays options to Exclude Resource Types and Exclude Resources by Regex.
  • View and determine the alert type by investigating a few of the alerts that have been triggered to determine if it is for a Policy Failure or Rule Match. This will help determine whether the issue is caused by a policy failure or a rule match.
    • If the alert type is a Rule Match investigate the detection(s) that caused this alert to trigger.
    • If the alert type is a Policy Failure, investigate the policy that is causing the alert to trigger.

Cause

This can be caused by:

  • The daily Cloud Security scan running and sending the alerts all at once.
  • Misconfigurations in Policy Detection or Rule Detection Python logic.