How to calculate the number of deduplicated alerts that were not sent to a destination in Panther

Last updated: November 14, 2025

QUESTION

How can I calculate the number of deduplicated alerts that were not promoted to be delivered to a destination within a specific date range?

ANSWER

To calculate the number of deduplicated alerts that were not sent to your destination, you'll need to compare the total number of alerts generated against those actually delivered. Here's how to do this:

Step 1: Count total alerts

  1. In the Panther console, navigate to Investigate > Data Explorer

  2. Run a query to count all rule matches with unique alert IDs for your specified date range. This will give you the total number of alerts. For example:

SELECT count(distinct p_alert_id)
FROM panther_views.public.all_rule_matches
WHERE p_occurs_between('2025-07-01', '2025-09-31')  #replace with your date range

Step 2: Count alerts sent to the destination

  • Use the Panther API to filter alerts by destination ID to determine how many were actually sent to your configured destination.

Step 3: Calculate deduplicated alerts

  • Subtract the number of alerts sent to the destination (Step 2) from the total number of alerts (Step 1). This difference represents the alerts that were deduplicated and not delivered.