The Dashboard Overview page in the Panther Console isn't populating, and displays the following message:
"We've noticed an unusually high number of alerts for the time frame you've selected"
To resolve this issue:
Set a smaller time frame for the Dashboard. To do this, click the date picker in the upper right corner on that page.
You can also find alert data with these alternate methods:
SQL query in Data Explorer
Use the following query to find the number of Alerts by Log Source, Log Type, and Severity:
SELECT p_source_label, p_log_type, p_alert_severity, COUNT(DISTINCT(p_alert_id)) AS number_of_alerts
FROM panther_views.public.all_rule_matches
WHERE p_occurs_since('1 week')
GROUP BY p_source_label, p_log_type, p_alert_severity
ORDER BY number_of_alerts DESC
LIMIT 100
API Calls to get your OPEN Alerts
1. Obtain your unique User ID:
query all_users {
users {
id,
givenName,
familyName,
email
}
}
2. Pull your open alerts:
query FirstPageOfMyAlerts {
alerts(input: {
createdAtAfter: "2023-02-21T00:00:00.000Z",
createdAtBefore: "2023-02-28T00:00:00.000Z",
statuses:OPEN,
assigneeIds:"Your ID"
}) {
edges {
node { # you can ask for more alert-related fields here
id
title
severity
status
}
}
pageInfo {
hasNextPage
endCursor
}
}
}
For more information about Panther's API, check out "How to use Panther's API" in our docs.
This issue occurs when a lot of alerts are triggered within a short timeframe or a large time range is chosen in the date picker that includes too many alerts to display.