Triaging Alerts
How to interpret and triage alerts within the Panther UI

Viewing alerts in the Panther UI

When in the Panther UI, you can view all alerts in the Alerts & Errors section located in the left column of the UI. When in the section, you'll see three tabs that represent different alert categories:
  • Alerts: Rule matches, policy matches, and scheduled rule matches alert types that represent events that were matched with enabled detections.
  • Detection errors: Rule error and scheduled rule error alert types represent detection errors generated due to either incorrect code or permissions issues, a rule returns an error, and does not complete its run successfully.
  • System errors: A variety of system health errors generated by various failures in Panther's processing pipeline. This includes log source inactivity, log classification failures, log source permission failures, alert delivery failures, and cloud account scanning failures.
The Alerts page will default to listing alerts by latest to oldest. You can use the filter to narrow the listing view on a specific set of alerts.

Triaging alerts in the Panther UI

There are several options for triaging alerts in Panther:
  • Open: this is the default state of an alert.
  • Invalid: use this to triage noisy alerts that might have been generated in error.
  • Resolved: use this to triage alerts that are valid but resolved.
  • Triaged: use this to triage alerts that are valid but still in process of being resolved due to further investigation.
Once an alert is triaged, it'll disappear from the default view of the alert listing page. If you're looking to find the previously resolved alert, be sure to edit the filter to include resolved alerts.
If performing bulk triaging on groups of alerts, you can use the bulk select option (pictured below).
By default, the bulk selector will select everything on the current page. If you'd like to select everything within the filtered results (beyond the first page), you can select Select all Alerts that match this search. This will select everything within the filtered results.
The "Select all Alerts that match this search" option is available in versions 1.26 and above. Once a mass action is performed using this option, note that there may be a slight delay in the mass action being completed depending on the number of alerts being triaged. Be sure to refresh the page to see the final results of the mass action.
Last modified 1mo ago