# Log Source Alarms

## Overview

Use these API operations to interact with log source alarms in Panther. These endpoints allow you to manage the configurable alarm thresholds for your log sources, primarily for use with Terraform provider integrations.

{% hint style="info" %}
Only the `SOURCE_NO_DATA` alarm type is exposed via the REST API. This is the only user-configurable alarm type. System-managed alarm types (`SOURCE_PERMISSIONS_CHECKS`, `SOURCE_LOG_PROCESSING_ERRORS`, `SOURCE_CLASSIFICATION_FAILURES`, `SOURCE_SCANNING_ERRORS`) remain available only through the GraphQL API to avoid configuration drift in declarative infrastructure management tools.
{% endhint %}

## Required permissions

* For `GET` operations, your API token must have the `View Log Sources` permission.
* For `PUT` and `DELETE` operations, your API token must have the `Manage Log Sources` permission.

## Endpoints

### List log source alarms

Returns a list of configurable alarms for the specified log source. Only the `SOURCE_NO_DATA` alarm type is included in the response, as other alarm types are system-managed.

### Get a specific log source alarm

## get log source alarm

> Get a specific alarm for a log source

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"log source alarm","description":"Manage the drop-off alarm (SOURCE_NO_DATA) for log source integrations. Other alarm types shown in the Panther UI (permissions checks, classification failures, log-processing errors, scanning errors) are system-managed and not exposed via this API."}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"LogSourceAlarmAPI.SourceAlarm":{"type":"object","properties":{"minutesThreshold":{"type":"integer","description":"The no-data evaluation period in minutes.","format":"int32"},"state":{"type":"string","description":"The current CloudWatch state of the alarm","enum":["OK","ALARM","INSUFFICIENT_DATA"]},"type":{"type":"string","description":"The alarm type","enum":["SOURCE_NO_DATA"]}},"required":["type"]},"LogSourceAlarmAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.ServiceError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.Error":{"type":"object","properties":{"fault":{"type":"boolean","description":"Is the error a server-side fault?"},"id":{"type":"string","description":"ID is a unique identifier for this particular occurrence of the problem."},"message":{"type":"string","description":"Message is a human-readable explanation specific to this occurrence of the problem."},"name":{"type":"string","description":"Name is the name of this class of errors."},"temporary":{"type":"boolean","description":"Is the error temporary?"},"timeout":{"type":"boolean","description":"Is the error a timeout?"}},"required":["name","id","message","temporary","timeout","fault"]}}},"paths":{"/log-source-alarms/{sourceId}/{type}":{"get":{"tags":["log source alarm"],"summary":"get log source alarm","description":"Get a specific alarm for a log source","operationId":"log source alarm#get","parameters":[{"name":"sourceId","in":"path","description":"The ID of the log source","required":true,"schema":{"type":"string","description":"The ID of the log source","format":"uuid"}},{"name":"type","in":"path","description":"The alarm type. Only SOURCE_NO_DATA is exposed.","required":true,"schema":{"type":"string","description":"The alarm type. Only SOURCE_NO_DATA is exposed.","enum":["SOURCE_NO_DATA"]}}],"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.SourceAlarm"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.BadRequestError"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.NotFoundError"}}}},"500":{"description":"service: Internal Server Error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.ServiceError"}}}},"504":{"description":"timeout: Gateway Timeout response.","content":{"application/vnd.goa.error":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.Error"}}}}}}}}}
```

Retrieves the details of a specific log source alarm, including its current state, threshold, and configuration.

### Create or update a log source alarm

## put log source alarm

> Create or update the drop-off threshold for a log source. Only the SOURCE\_NO\_DATA alarm type is user-configurable. Not supported for cloud-security sources (returns 400).

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"log source alarm","description":"Manage the drop-off alarm (SOURCE_NO_DATA) for log source integrations. Other alarm types shown in the Panther UI (permissions checks, classification failures, log-processing errors, scanning errors) are system-managed and not exposed via this API."}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"LogSourceAlarmAPI.PutSourceAlarmData":{"type":"object","properties":{"minutesThreshold":{"type":"integer","description":"The no-data evaluation period in minutes. Minimum 15, maximum 43200 (30 days).","format":"int32"}},"required":["minutesThreshold"]},"LogSourceAlarmAPI.PutSourceAlarmResp":{"type":"object","properties":{"minutesThreshold":{"type":"integer","description":"The configured no-data evaluation period in minutes","format":"int32"},"type":{"type":"string","description":"The alarm type","enum":["SOURCE_NO_DATA"]}},"required":["type","minutesThreshold"]},"LogSourceAlarmAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.NotFoundError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.ServiceError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.Error":{"type":"object","properties":{"fault":{"type":"boolean","description":"Is the error a server-side fault?"},"id":{"type":"string","description":"ID is a unique identifier for this particular occurrence of the problem."},"message":{"type":"string","description":"Message is a human-readable explanation specific to this occurrence of the problem."},"name":{"type":"string","description":"Name is the name of this class of errors."},"temporary":{"type":"boolean","description":"Is the error temporary?"},"timeout":{"type":"boolean","description":"Is the error a timeout?"}},"required":["name","id","message","temporary","timeout","fault"]}}},"paths":{"/log-source-alarms/{sourceId}/{type}":{"put":{"tags":["log source alarm"],"summary":"put log source alarm","description":"Create or update the drop-off threshold for a log source. Only the SOURCE_NO_DATA alarm type is user-configurable. Not supported for cloud-security sources (returns 400).","operationId":"log source alarm#put","parameters":[{"name":"sourceId","in":"path","description":"The ID of the log source","required":true,"schema":{"type":"string","description":"The ID of the log source","format":"uuid"}},{"name":"type","in":"path","description":"The alarm type. Only SOURCE_NO_DATA is supported on PUT.","required":true,"schema":{"type":"string","description":"The alarm type. Only SOURCE_NO_DATA is supported on PUT.","enum":["SOURCE_NO_DATA"]}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.PutSourceAlarmData"}}}},"responses":{"200":{"description":"OK response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.PutSourceAlarmResp"}}}},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.BadRequestError"}}}},"404":{"description":"not_found: Not Found response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.NotFoundError"}}}},"500":{"description":"service: Internal Server Error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.ServiceError"}}}},"504":{"description":"timeout: Gateway Timeout response.","content":{"application/vnd.goa.error":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.Error"}}}}}}}}}
```

Creates a new alarm or updates an existing alarm for the specified log source. This operation is idempotent - subsequent calls with the same parameters will update the existing alarm rather than create duplicates.

**Key features:**

* **Threshold validation**: The `minutesThreshold` value must be between 15 and 43,200 minutes (30 days)
* **Source validation**: The endpoint validates that the log source exists before creating the alarm
* **Health refresh**: After successfully creating or updating an alarm, the system will refresh the log source's health status

### Delete a log source alarm

## delete log source alarm

> Delete the drop-off alarm for a log source. Idempotent: returns 204 even if no alarm exists.

```json
{"openapi":"3.0.3","info":{"title":"Panther REST API","version":"1.0"},"tags":[{"name":"log source alarm","description":"Manage the drop-off alarm (SOURCE_NO_DATA) for log source integrations. Other alarm types shown in the Panther UI (permissions checks, classification failures, log-processing errors, scanning errors) are system-managed and not exposed via this API."}],"servers":[{"url":"https://{api_host}","variables":{"api_host":{"default":"your-api-host"}}}],"security":[{"ApiKeyAuth":[]}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","name":"X-API-Key","in":"header"}},"schemas":{"LogSourceAlarmAPI.BadRequestError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.ServiceError":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"LogSourceAlarmAPI.Error":{"type":"object","properties":{"fault":{"type":"boolean","description":"Is the error a server-side fault?"},"id":{"type":"string","description":"ID is a unique identifier for this particular occurrence of the problem."},"message":{"type":"string","description":"Message is a human-readable explanation specific to this occurrence of the problem."},"name":{"type":"string","description":"Name is the name of this class of errors."},"temporary":{"type":"boolean","description":"Is the error temporary?"},"timeout":{"type":"boolean","description":"Is the error a timeout?"}},"required":["name","id","message","temporary","timeout","fault"]}}},"paths":{"/log-source-alarms/{sourceId}/{type}":{"delete":{"tags":["log source alarm"],"summary":"delete log source alarm","description":"Delete the drop-off alarm for a log source. Idempotent: returns 204 even if no alarm exists.","operationId":"log source alarm#delete","parameters":[{"name":"sourceId","in":"path","description":"The ID of the log source","required":true,"schema":{"type":"string","description":"The ID of the log source","format":"uuid"}},{"name":"type","in":"path","description":"The alarm type. Only SOURCE_NO_DATA is supported on DELETE.","required":true,"schema":{"type":"string","description":"The alarm type. Only SOURCE_NO_DATA is supported on DELETE.","enum":["SOURCE_NO_DATA"]}}],"responses":{"204":{"description":"No Content response."},"400":{"description":"bad_request: Bad Request response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.BadRequestError"}}}},"500":{"description":"service: Internal Server Error response.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.ServiceError"}}}},"504":{"description":"timeout: Gateway Timeout response.","content":{"application/vnd.goa.error":{"schema":{"$ref":"#/components/schemas/LogSourceAlarmAPI.Error"}}}}}}}}}
```

Removes the specified alarm from the log source. This operation is idempotent - multiple DELETE requests for the same alarm will return the same success response.

## Use with Terraform

These REST endpoints are designed to work seamlessly with the [Panther Terraform Provider](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/terraform/README.md) for infrastructure-as-code management. The endpoints support:

* **Declarative resource management**: PUT operations are idempotent and suitable for Terraform's plan/apply workflow
* **State drift prevention**: Only user-configurable alarm types are exposed to avoid conflicts with system-managed alarms
* **Consistent error handling**: Validation errors provide clear messages that can be handled by Terraform

See the [Terraform documentation](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/terraform/README.md) for examples of how to manage log source alarms using infrastructure as code.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/panther-developer-workflows/api/rest/log-source-alarms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.