QUESTION

How can I find our peak number of triggered rule and policy alerts per second in Panther?

ANSWER

Rules

To determine your maximum number of rule-alerts-created-per-second, run a SQL query similar to the following in Panther’s Data Explorer:

WITH rule_matches AS (
SELECT
   p_event_time as p_timeline,
   p_alert_id as alert_id,
   p_alert_creation_time,
   p_log_type

FROM
   panther_rule_matches.public.aws_cloudtrail
WHERE
   p_occurs_between('2024-02-27 23:46:57Z','2024-03-28 23:46:57Z')

UNION ALL

SELECT
   p_event_time as p_timeline,
   p_alert_id as alert_id,
   p_alert_creation_time,
   p_log_type

FROM
   panther_rule_matches.public.aws_vpcdns
WHERE
   p_occurs_between('2024-02-27 23:46:57Z','2024-03-28 23:46:57Z')

)

select
p_alert_creation_time
, count(distinct alert_id) as distinct_alert_ids
, count(1) as rule_match_count
, count(distinct p_log_type) as distinct_log_types

from rule_matches

group by p_alert_creation_time

order by distinct_alert_ids desc

limit 99

Policies

Please contact the Panther Support team to determine the maximum number of policy-alerts-created-per-second.