The current problem we have is that on occasion our SIEM sources stop logging for one reason or another. The current mechanism in place to alert for that is here - https://support.huntress.io/hc/en-us/articles/42917517950995-Non-Reporting-Log-Source-Escalations However, that solution is not a great one when you are ingesting hundreds of windows event viewer logs and anytime a regular workstation is off for more than 8 hours we would get an escalation. It would create a ton of noise and makes that setting unreasonable to use.

There should be some way to scope the notifications to a certain source type/sources.