QUESTION

How do I modify alerts for if a log source hasn't received events for a few days, without needing to edit and validate all the details on that log source? I want to change how long Panther waits before it sends an alert that no events have been processed.

ANSWER

You can adjust the time interval for log source health notifications within the error message box:

  1. Go to the log source page for the unhealthy log source (Configure > Log Sources > your log source), then navigate to the Health tab.

  2. In the red box containing the error message ("Source has not received events for more than 1 day"), on the right-hand side click Manage Alarm.

  3. A dialog box will appear, where you can adjust how long Panther should wait before triggering this alert.