Just came here to add another comment that this is great, but not working as it should for computers. Machines that are offline, or intentionally shut down should not be reported on.

If Huntress has the machine checking in, but not reporting then fine. But if Huntress shows the machine last checking in 1 hour ago, I don't want an alert that the SEIM hasn't seen something in 8 hours.

Definitely need granularity here. Would be great to have filtering in a way that we don't have to regularly exclude machines. For example, filter out all Windows machines that aren't servers. PLEASE don't just give us a checkbox next to machines to turn this off, won't be useful if so.

I turned this on and it sent me alerts for 510 sources! The vast majority of these are simply desktops that are offline. I agree that this needs granularity. I would like alerted primarily on firewall sources and generic syslog collectors that stop collecting. Desktop Windows logs are not ones that we would typically be concerned with if they stopped reporting for a period of time.

I just saw and enabled this feature described here - https://www.loom.com/share/bb513c54b0f24b80b8f89cdd8a16fef8?sid=8fae95ce-38c2-459d-ae74-b5de054e2a55

This created escalations for Windows devices that were just turned off overnight. Can we have some functionality added where we can specify which data sources are reported on? For Windows, it would also be able to filter to desktop vs server.