QUESTION

Why am I only receiving a system alert once, even though I am seeing several failures in a short period of time?

ANSWER

The below system errors are deduplicated by default when they reference the same issue, generating only a single alert to reduce noise:

• LOOKUP_TABLE_UPDATE

• SCHEDULED_QUERY_BEHIND

• SCHEDULED_QUERY_TIMEOUT

• and SCHEDULED_QUERY_ERROR_NO_RULE

Since system errors are Critical and require immediate attention, this prevents alert fatigue by avoiding repeated notifications for the same problem.

For example, if a saved query fails repeatedly within a short period, you will see multiple failures in the Panther Console but only a single or a few alerts for that query.

This deduplication ensures that critical alerts are clear and actionable.