Why am I receiving a high severity alert in my Panther Console for a detection that has been configured with low severity?
To troubleshoot, perform the following steps:
Log in to your Panther Console and navigate to your Alerts.
Locate the alert that you want to investigate and check for the Rule field that appears just under the name of the alert.
This will help you identify which rule has triggered each alert.
Click on the Rule field in order to check the rule configuration. Look at the upper right of your screen and locate the severity of the rule.
If the severity of the rule does not match what you received in your alert, check to see whether there are detections with similar names that may have triggered the alert: Navigate to Build > Detections and then start typing the name of the detection.
An example of this is that there are three different rules named "AWS GuardDuty <> Severity Finding" in Panther:
The most probable explanation for this behavior is that there are different detections configured in your Panther Console, each of them having a different severity, but with similar titles.