Issue

I have recently received classification errors for a log source in Panther Console. However, no alerts were created for these.

Resolution

  1. In your Panther Console, navigate to Configure > Log Sources.

  2. Locate the affected log source and click on it.

  3. On the left side of the log source's details page, click on the Health tab. 

    clipboard_ee664d1053e84584af29c3bd370574e46.png
  4. At the bottom of the screen, locate an existing relevant alert:

    clipboard_e51c0092671dcb4d08566699999be1928.png
  5. Check the status of this alert. If the alert has not been resolved and is still in an open status, then it is expected that you will not receive an alert for the most recent example of this issue. 

    • If you do not have any open classification errors and this issue is still occurring, please reach out to your Panther support representative for further troubleshooting.

Cause

If the alert has not been resolved and is still in an open status, then this is the reason that the most recent classification errors did not re-trigger the alert. This alert was not resolved for some reason, causing the new classification error to not trigger the alert again because it was already open.

The alarm logic behind classification errors was improved in v1.39 of Panther to reduce alert fatigue. In previous versions of Panther, every misclassification triggered a classification error, creating a new alert. With that update, log sources now fire a single classification alert, which you can mark as resolved to dismiss. New classification errors will re-trigger the same alert.