QUESTION

I have a scheduled query that returns data but when its ran it doesn't raise an alert. How can I resolve this?

ANSWER

If your scheduled query is returning data but not generating alerts, the most common cause is that your alert destination is not configured to receive scheduled rule matches. Here's how to resolve this:

1. Check your alert destination settings

• Navigate to your alert destination configuration

• Ensure that "Scheduled Rule Matches" is selected in addition to your desired severity levels

• Note that receiving scheduled rule matches is a separate option from regular detection alerts

  

2. Verify your scheduled rule setup

• Confirm that your scheduled query is properly associated with a scheduled rule

• Check that the rule's severity level matches what your alert destinations are configured to receive

3. Verify query execution

You can confirm whether your scheduled queries are running successfully by checking the Investigate > Search History page in your Panther Console for any execution issues.

For more information on setting up scheduled rules, feel free to check Panther's scheduled rules documentation.