How to interpret and triage alerts within the Panther Console
When in the Panther Console, you can view all alerts in the Alerts section located in the left column of the Console. When in the section, you'll see three tabs that represent different alert categories:
- Alerts: Rule matches, policy matches, and scheduled rule matches alert types that represent events that were matched with enabled detections.
- Detection errors: Rule error and scheduled rule error alert types represent detection errors generated due to either incorrect code or permissions issues, a rule returns an error, and does not complete its run successfully.
- System errors: A variety of system health errors generated by various failures in Panther's processing pipeline. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures.
The Alerts page will default to listing alerts by latest to oldest. You can use the filter to narrow the listing view on a specific set of alerts.
There are several options for triaging alerts in Panther:
- Open: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
- Invalid: Use this to triage noisy alerts that might have been generated in error.
- Resolved: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
- Triaged: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
Once an alert is triaged, it'll disappear from the default view of the alert listing page. If you're looking to find the previously resolved alert, be sure to edit the filter to include resolved alerts.
If performing bulk triaging on groups of alerts, you can use the bulk select option (pictured below).
By default, the bulk selector will select everything on the current page. If you'd like to select everything within the filtered results (beyond the first page), you can select Select all Alerts that match this search. This will select everything within the filtered results.
We recommend following these guidelines to define alert severity levels:
Each generated alert in Panther is enriched with the following timestamps: