How does Destination Override work in Panther?


 How do I use destination override to send only alerts from my rule to a particular destination?


By default, a destination accepts alerts of all types and all severity levels. You can limit a destination to only accept Critical severity level alerts that require quick action or only Rule Error type alerts for debugging purposes, thereby limiting the scope of alerts to that destination. If a destination accepts Rule Matches and all alert severities, it will receive rule match alerts from every rule.

If you have a strict channel that only accepts Critical severity alerts, you can override that setting for a particular rule. This is also true for alert types; if you have a channel that only receives rule errors, you can override that setting when enabling destination override. Alerts for that rule will post to the destination regardless of its settings.

For example, you may want a very strict channel, where a certain destination only receives alerts from manually-specified detections. In this case, follow the instructions here: How do I route a single Panther alert to a specific alert destination?


