QUESTION

A log source turned unhealthy. After I fixed it, why do I still get an error banner in the Panther Console?

ANSWER

There are a few different types of ways that a log source can turn unhealthy, and there are different resolutions depending on how it turned unhealthy;

Source received events recently that we were unable to classify:

If the error is a classification failure, then you can manually "Mark as resolved" once you examine the event and find the reason why it occurred. 

If you receive the unhealthy status again after resolving the alert, it means that you received another event that failed to classify. This means you should examine your source data to determine if it truly fits the schemas that are associated with your log source.

Other errors

To determine why they are currently in an unhealthy state, click on the Health tab of your Log Source page to find the detailed error message. Different error types have different paths to resolution. For example, if you see an error that Panther failed to read from your S3 bucket, it could mean that the permissions on the Log Processing Role need to be checked/adjusted.

If you require assistance troubleshooting an error, please reach out to Panther's support team.

Resolving the banner

The banner is under a time-based conditional and will resolve on its own.