We received the following rule error for one of our stateful detections and would like to understand what triggered it.
ClientError('An error occurred (ThrottlingException) when calling the UpdateItem operation (reached max retries: 9):
Throughput exceeds the current capacity of your table or index.
DynamoDB is automatically scaling your table or index so please try again shortly.
If exceptions persist, check if you have a hot key:
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/bp-partition-key-design.html')
If you only see this error message one time, no action is needed as this is likely due to a hot key.
If you see this message more than once, follow these steps:
Ensure that keys are sufficiently unique and that no single key is accessed too often (read or write.)
Reach out to Panther Support to review your detection logic.
This issue occurs when high-traffic log types are routed through caching detections or particular keys are seeing a lot of traffic and overwhelming the iops provided for a single DynamoDB partition. DynamoDB is able to dynamically scale up for heavier traffic to split the load, but if a single key is causing this traffic, Dynamo won't be able to split the load as a key is a single unit that cannot be split.