Skip to main content
Panther Knowledge Base

How do I route a single Panther alert to a specific alert destination?

QUESTION

How do I route a single alert to a specific alert destination? I don't want any triggers in that alert destination unless it's that specific alert.

If I select a Log Type, it sends all alerts for that log type to the destination, which is not what we want.

ANSWER

A way to route a single alert to a specific destination is to create a destination that does not contain any severities or log types. Since no severities or log types will match to get routed to that destination, it can only be used if you configure a detection to use it as a destination override.

  1. Log in to the Panther Console.
  2. In the left sidebar, click Configure > Alert Destinations.
  3. Configure your destination:
    • Severity: Do not add any.
    • Alert Types: Select Rule Matches.
    • Log Types: Do not add any.
      alert destination configuration.png
  4. Navigate to Build > Detections and click your detection name. On the detection page, click Edit in the upper right.
  5. Under the Rule Settings tab, click the Destination Overrides drop-down. Select the alert destination that you created in the previous steps.
    • Alternatively, you can also configure this in the Python rule function using destinations().
      • For example:
        def destinations(event):
             return ["<Your-Destination-ID or Name-of-Destination>"]
  6. In the upper right corner of the page, click Update

For more examples of alert routing, see Panther's documentation.