How can I find our peak number of triggered rule and policy alerts per second in Panther?
To determine your maximum number of rule-alerts-created-per-second, run a SQL query similar to the following in Panther’s Data Explorer:
WITH rule_matches AS (
SELECT
p_event_time as p_timeline,
p_alert_id as alert_id,
p_alert_creation_time,
p_log_type
FROM
panther_rule_matches.public.aws_cloudtrail
WHERE
p_occurs_between('2024-02-27 23:46:57Z','2024-03-28 23:46:57Z')
UNION ALL
SELECT
p_event_time as p_timeline,
p_alert_id as alert_id,
p_alert_creation_time,
p_log_type
FROM
panther_rule_matches.public.aws_vpcdns
WHERE
p_occurs_between('2024-02-27 23:46:57Z','2024-03-28 23:46:57Z')
)
select
p_alert_creation_time
, count(distinct alert_id) as distinct_alert_ids
, count(1) as rule_match_count
, count(distinct p_log_type) as distinct_log_types
from rule_matches
group by p_alert_creation_time
order by distinct_alert_ids desc
limit 99
Please make sure to replace the table value: panther_rule_matches.public.aws_cloudtrail
with the one containing the log type you're searching for. Also adjust the p_occurs_between
date ranges as needed.
If your instance contains panther_views.public.all_rule_matches
, there's no need to union the tables. You could instead adjust the query with p_log_type like 'AWS.%'
or something similar to search for alerts from all log types from AWS or any other source.
Please contact the Panther Support team to determine the maximum number of policy-alerts-created-per-second.