QUESTION

Why do uncaught Python exceptions in Panther detections sometimes result in INFO severity alerts instead of higher severity levels?

ANSWER

Panther raises detection errors according to the default severity configured for the detection itself. When a Python exception occurs in a rule or policy, the resulting alert will use the same severity level as the detection's default severity setting.

For example, if your rule has a default severity of INFO, any uncaught exceptions from that rule will generate alerts at the INFO level.