In the Policy "Resources" tab in the Panther Console, I see many failing resources. In the "Failures" tab I only see a few alerts. Shouldn't there be the same (or more) number of alerts as there are failing resources?
When alerting on policy failures, Panther will deduplicate multiple events into a single alert that corresponds to the Policy ID. This is how you can have a case where multiple resources fail a policy in a short period of time, and then Panther will deduplicate these multiple events into 1 alert. Panther purposefully uses a period of 60 minutes to deduplicate many Policy failure events into 1 alert because it is often not helpful to receive potentially hundreds or thousands of alerts about many resources that are failing the same policy. For most scenarios, 1 alert is sufficient to notify users of the issue, and then looking into the context about the Policy failures will show you all of the other resources that also failed that policy.
However, you can customize this behavior by editing your detection code and adding a dedup
auxiliary function. This dedup
function will return a string that tells Panther how to deduplicate Policy failures. If you wish to prevent deduplication on the Policy ID, one alternative strategy would be to use a dedup
function that returns the exact resource ARN for the specific resource that is failing the Policy. An example of this is as follows:
def dedup(resource):
# can customize deduplication logic by changing the value of this string that gets returned
return resource.get('ARN')