Why did a large number of alerts trigger at the same time from Panther?
Issue
You unexpectedly received a large number of alerts at the same time.
Resolution
To troubleshoot the cause of this issue:
- Verify whether these alerts came in as a result of the daily Cloud Security scan or from the Python detections matching.
- To prevent excessive alerts caused by misconfigured regions and resources:
- In your Panther Console, go to Integrations > Cloud Accounts.
- Click ... on the right side of a cloud account in the list, then click Edit.
- Click to expand the Advanced Options. You can exclude AWS Regions, Resource Types, and Resources.
- To prevent excessive alerts caused by misconfigured regions and resources:
- View and determine the alert type by investigating a few of the alerts that have been triggered to determine if it is for a Policy Failure or Rule Match. This will help determine whether the issue is caused by a policy failure or a rule match.
- If the alert type is a Rule Match investigate the detection(s) that caused this alert to trigger.
- If the alert type is a Policy Failure, investigate the policy that is causing the alert to trigger.
Cause
This can be caused by:
- The daily Cloud Security scan running and sending the alerts all at once.
- Misconfigurations in Policy Detection or Rule Detection Python logic.