Triaging Alerts

Knowledge Base Panther.com Release Notes Demo Request
Search…
Triaging Alerts
How to interpret and triage alerts within the Panther Console
Viewing alerts in the Panther Console
When in the Panther Console, you can view all alerts in the Alerts & Errors section located in the left column of the Console. When in the section, you'll see three tabs that represent different alert categories:
Alerts: Rule matches, policy matches, and scheduled rule matches alert types that represent events that were matched with enabled detections. 
Detection errors: Rule error and scheduled rule error alert types represent detection errors generated due to either incorrect code or permissions issues, a rule returns an error, and does not complete its run successfully.
System errors: A variety of system health errors generated by various failures in Panther's processing pipeline. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures.
The Alerts page will default to listing alerts by latest to oldest. You can use the filter to narrow the listing view on a specific set of alerts.
Triaging alerts in the Panther Console
There are several options for triaging alerts in Panther:
Open: This is the default state of new alerts with a Severity level of Low, Medium, High, or Critical.
Invalid: Use this to triage noisy alerts that might have been generated in error.
Resolved: Use this to triage alerts that are valid but resolved. This is the default state of alerts with a Severity level of Info.
Triaged: Use this to triage alerts that are valid but still in process of being resolved due to further investigation.
Once an alert is triaged, it'll disappear from the default view of the alert listing page. If you're looking to find the previously resolved alert, be sure to edit the filter to include resolved alerts.
If performing bulk triaging on groups of alerts, you can use the bulk select option (pictured below).
The Alerts page is displayed, and alerts are listed at the bottom. The box next to "Select all Alerts" is checked, and the alerts in the list are selected. 
By default, the bulk selector will select everything on the current page. If you'd like to select everything within the filtered results (beyond the first page), you can select Select all Alerts that match this search. This will select everything within the filtered results.
The "Select all Alerts that match this search" option is available in versions 1.26 and above. Once a mass action is performed using this option, note that there may be a slight delay in the mass action being completed depending on the number of alerts being triaged. Be sure to refresh the page to see the final results of the mass action.
Alert Severities
We recommend following these guidelines to define alert severity levels:
Severity
Exploitability
Description
Examples
Info
None
No risk, simply informational
Gaining operational awareness.
Low
Difficult
Little to no risk if exploited
Non-sensitive information leaking such as system time and OS versions.
Medium
Difficult
Moderate risk if exploited
Expired credentials, missing protection against accidental data loss, encryption settings, best practice settings for audit tools.
High
Moderate
Very damaging if exploited
Large gaps in visibility, directly vulnerable infrastructure, misconfigurations directly related to data exposure.
Critical
Easy
Causes extreme damage if exploited
Public data/systems available, leaked access keys.
​
Panther Developer Workflows: Detections
Alert Runbooks
Last modified 11d ago
Copy link
Outline
Viewing alerts in the Panther Console
Triaging alerts in the Panther Console
Alert Severities