Issue

The Dashboard Overview page in the Panther Console isn't populating, and displays the following message: 

"We've noticed an unusually high number of alerts for the time frame you've selected"

Resolution

To resolve this issue:


You can also find alert data with these alternate methods: 

SQL query in Data Explorer

Use the following query to find the number of Alerts by Log Source, Log Type, and Severity:

SELECT p_source_label, p_log_type, p_alert_severity, COUNT(DISTINCT(p_alert_id)) AS number_of_alerts
FROM panther_views.public.all_rule_matches
WHERE p_occurs_since('1 week')
GROUP BY p_source_label, p_log_type, p_alert_severity
ORDER BY number_of_alerts DESC
LIMIT 100

API Calls to get your OPEN Alerts

1. Obtain your unique User ID:

query all_users {
    users {
      id,
      givenName,
      familyName,
      email
    }
  }

2. Pull your open alerts:

query FirstPageOfMyAlerts {
    alerts(input: { 
      createdAtAfter: "2023-02-21T00:00:00.000Z",
      createdAtBefore: "2023-02-28T00:00:00.000Z",
      statuses:OPEN,
      assigneeIds:"Your ID"
    }) {
      edges {
        node { # you can ask for more alert-related fields here
          id
          title
          severity
          status
        }
      }
      pageInfo {
        hasNextPage
        endCursor
      }
    }
  }

For more information about Panther's API, check out "How to use Panther's API" in our docs.

Cause

This issue occurs when a lot of alerts are triggered within a short timeframe or a large time range is chosen in the date picker that includes too many alerts to display.