Are Panther alerts from unhealthy resources resolved when the resource becomes healthy?
Alerts are not automatically resolved after an issue is solved (for example, when a log source fails and is unhealthy, but the source failure is resolved and the source becomes healthy again). As a best practice we recommend that you investigate the alert, even after the cause of the alert has been resolved.
Policy alerts are based on a policy or resource mapping, e.g., Resource XYZ is failing policy ABC. This mapping is stateful; if the XYZ stops failing on ABC, its state will automatically change to PASSING. This does not resolve the corresponding alert automatically. You can see the resource and policy state in either the Resource Details page or the Policy Details page for the corresponding policy or resource (bidirectional).
Example: It could be that a resource was modified to allow malicious activity, malicious activity occurred, then the resource was modified back to its base state. The policy mapping would show "healthy," but the cause of the corresponding alert should be investigated.
If a resource is deleted it will no longer appear in Panther, but the alert associated with it will still remain.
Example: Resource XYZ fails, generating an alert in Panther, but is deleted before the user had a chance to investigate. The resource will no longer appear in Panther, but the previous alert it generated will still be there.
Rules and Scheduled Rules create an alert based on logs, not state, and so after the alert there is no followup by the Panther system.
System Health Alerts are created when something such as a log source in Panther fails. When these stop failing, the state of the log source changes from unhealthy back to healthy. This does not automatically resolve the corresponding System Health Alert.
Example: In the case of a System Health Notification, it could be that a log source was unhealthy, then fixed itself and is now healthy. However, there may be a gap in the logs during the time that the source was failing. The cause of the alert should be investigated, as someone may need to manually intervene to backfill the logs.