Why did Panther send an error that an alert destination failed to deliver alerts in the past hour? Can I re-send those alerts that failed to deliver?

Last updated
Save as PDF

QUESTION

I received a system error that says my alert destination has failed to deliver alerts in the past 1 hour.

This error message looks similar to the one I see when a log source fails to receive logs, but I can configure log sources with different timeout periods for this alarm, and I can't do that for alert destinations. Why did I receive this error, and what can I do about it?

ANSWER

Alert delivery failure errors are designed to let you know when Panther tried to send an alert to a destination, but failed for some reason. This can be caused by credential expiration, an endpoint getting throttled, network segmentation, etc. We currently don't support adjusting the severity, timing, or deduplication for system errors.

If you want to control the flow of system errors separately from alert channels used for detections, one way to do this is to designate certain alert destinations to use system errors only.

To see the specific alerts that failed to deliver and triggered a given system error, click the alert title to open it, then go to its Non-Delivered Alerts tab.

Panther is currently not able to re-send those Non Delivered Alerts. In the mean time, users can still view the error and events of those alerts through the Query History.