QUESTION

When querying in the correlation_signals table in Panther, I see an alert_id value appended with "-suppressed" (e.g. AWS.Console.Login-suppressed). What does it mean?

ANSWER

An alert_id ending in -suppressed indicates that the event is a Signal, not an Alert. This occurs when the rule has the CreateAlert setting turned off (or the Create Alert toggle is disabled in the Console), resulting in the rule generating signals instead of alerts.

If your rule is intended to generate alerts, but you see the -suppressed suffix, this means that the alert limiter is triggered. This occurs when a detection generates 1,000 alerts within an hour. When this happens:

• Panther automatically disables the CreateAlert setting to prevent further alert volume.

• The detection continues to generate Signals, but no new alerts are created.

• A System Error notification will be sent to inform you.

• You can manually re-enable alert creation after reviewing and addressing the high alert volume.

Please refer to the documentation for more details on the alert limiter.