Issue

When trying to use Panther AI's auto-triage and auto-resolve functionalities with a tag-based configuration, the features work inconsistently — triggering correctly for some alerts but not others, even when the alerts appear to have the correct tag applied and fall within the configured risk score thresholds.

Resolution

One potential path to examine is whether the casing of the tags is identical in all the involved areas. To check this:

1. Navigate to Settings → Panther AI → Alert Triage tab and note the exact tag values entered in the Auto-resolve Based on Risk Score and Auto-run AI Triage on Alerts sections.

2. Compare these tag values against the tags defined on the detection rules that are triggering the affected alerts. Ensure that the tag casing matches exactly — for example, if the Detection Tag in the Alert Triage tab is configured as securitytag (all lowercase), it will not match a rule tagged SecurityTag (mixed case).

3. Update either the tag value in the Panther AI configuration or the tags on the detection rules so that they match exactly, including capitalization.

Cause

This issue can occur when there is a case mismatch between the tag values configured in the Panther AI auto-triage/auto-resolve configurations and the tags applied to the detection rules. Panther AI tag matching is case-sensitive, so a filter set to securitytag will not match a rule tagged SecurityTag, causing the auto-triage and auto-resolve functionality to skip those alerts.