Triaging Alerts

How to interpret and triage alerts within the Panther Console

Viewing alerts in the Panther Console

When in the Panther Console, you can view all alerts in the Alerts section located in the left column of the Console. When in the section, you'll see three tabs that represent different alert categories:
  • Alerts: Rule matches, policy matches, and scheduled rule matches alert types that represent events that were matched with enabled detections.
  • Detection errors: Rule error and scheduled rule error alert types represent detection errors generated due to either incorrect code or permissions issues, a rule returns an error, and does not complete its run successfully.
  • System errors: A variety of system health errors generated by various failures in Panther's processing pipeline. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures.
The Alerts page will default to listing alerts by latest to oldest. You can use the filter to narrow the listing view on a specific set of alerts.

Triaging alerts in the Panther Console

There are several options for triaging alerts in Panther:
  • Open: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
  • Invalid: Use this to triage noisy alerts that might have been generated in error.
  • Resolved: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
  • Triaged: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
Once an alert is triaged, it'll disappear from the default view of the alert listing page. If you're looking to find the previously resolved alert, be sure to edit the filter to include resolved alerts.
If performing bulk triaging on groups of alerts, you can use the bulk select option (pictured below).
By default, the bulk selector will select everything on the current page. If you'd like to select everything within the filtered results (beyond the first page), you can select Select all Alerts that match this search. This will select everything within the filtered results.
The "Select all Alerts that match this search" option is available in versions 1.26 and above. Once a mass action is performed using this option, note that there may be a slight delay in the mass action being completed depending on the number of alerts being triaged. Be sure to refresh the page to see the final results of the mass action.

Alert Severities

We recommend following these guidelines to define alert severity levels:
No risk, simply informational
Gaining operational awareness.
Little to no risk if exploited
Non-sensitive information leaking such as system time and OS versions.
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Causes extreme damage if exploited
Public data/systems available, leaked access keys.

Alert timestamps

Each generated alert in Panther is enriched with the following timestamps:
The first time an event matched this rule
The time the event reported itself as happening
The time the event was processed by Panther
The last time an event matched this rule (in the case of deduplication)