Docs HomePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Onboarding
Writing Detections
Rules
Policies
Detection Auxiliary Functions
Testing
Alert Summaries
Detection Packs
Caching
Data Models
Global Helper Functions
Triaging Alerts
Report Mapping
Panther Analysis Tool
Runtime Environment
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (BETA)
System Configuration
Alert Runbooks
Panther API (BETA)
Guides
Help
Powered By GitBook
Triaging Alerts
How to interpret and triage alerts within the Panther UI

Viewing alerts in the Panther UI

When in the Panther UI, you can view all alerts in the Alerts & Errors section located in the left column of the UI. When in the section, you'll see three tabs that represent different alert categories:
  • Alerts: Rule matches, policy matches, and scheduled rule matches alert types that represent events that were matched with enabled detections.
  • Detection errors: Rule error and scheduled rule error alert types represent detection errors generated due to either incorrect code or permissions issues, a rule returns an error, and does not complete its run successfully.
  • System errors: A variety of system health errors generated by various failures in Panther's processing pipeline. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures.
The Alerts page will default to listing alerts by latest to oldest. You can use the filter to narrow the listing view on a specific set of alerts.

Triaging alerts in the Panther UI

There are several options for triaging alerts in Panther:
  • Open: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
  • Invalid: Use this to triage noisy alerts that might have been generated in error.
  • Resolved: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
  • Triaged: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
Once an alert is triaged, it'll disappear from the default view of the alert listing page. If you're looking to find the previously resolved alert, be sure to edit the filter to include resolved alerts.
If performing bulk triaging on groups of alerts, you can use the bulk select option (pictured below).
By default, the bulk selector will select everything on the current page. If you'd like to select everything within the filtered results (beyond the first page), you can select Select all Alerts that match this search. This will select everything within the filtered results.
The "Select all Alerts that match this search" option is available in versions 1.26 and above. Once a mass action is performed using this option, note that there may be a slight delay in the mass action being completed depending on the number of alerts being triaged. Be sure to refresh the page to see the final results of the mass action.
Previous
Global Helper Functions
Next
Report Mapping
Last modified 2mo ago
Copy link
Contents
Viewing alerts in the Panther UI
Triaging alerts in the Panther UI