Why did a large number of alerts trigger at the same time from Panther?
Issue
You unexpectedly received a large number of alerts at the same time.
Resolution
To troubleshoot the cause of this issue:
- View and determine the alert type by investigating a few of the alerts that have been triggered to determine if it is for a Policy Failure (as a result of the daily Cloud Security scan) or Rule Match. This will help determine whether the issue is caused by a policy failure or a rule match.
- If the alert type is a Rule Match investigate the detection(s) that caused this alert to trigger.
- If the alert type is a Policy Failure:
- Investigate the policy that is causing the alert to trigger.
- Check to see if the excessive alerts were caused by misconfigured regions and resources:
- In your Panther Console, go to Integrations > Cloud Accounts.
- Click ... on the right side of a cloud account in the list, then click Edit.
- Click to expand the Advanced Options. You can exclude AWS Regions, Resource Types, and Resources.
Cause
This can be caused by:
- The daily Cloud Security scan running and sending the alerts all at once.
- Misconfigurations in Policy Detection or Rule Detection Python logic.