How do I route a single Panther alert to a specific alert destination?
QUESTION
How do I route a single alert to a specific alert destination? I don't want any triggers in that alert destination unless it's that specific alert.
If I select a Log Type, it sends all alerts for that log type to the destination, which is not what we want.
ANSWER
A way to route a single alert to a specific destination is to create a destination that does not contain any severities or log types. Since no severities or log types will match to get routed to that destination, it can only be used if you configure a detection to use it as a destination override.
- Log in to the Panther Console.
- In the left sidebar, click Configure > Alert Destinations.
- Go through the process of creating a new alert destination, or edit an existing destination.
- Configure your destination:
- Severity: Do not add any.
- Alert Types: Select
Rule Matches. - Log Types: Do not add any.
- Navigate to Build > Detections and click your detection name. On the detection page, click Edit in the upper right.
- Under the Rule Settings tab, click the Destination Overrides drop-down. Select the alert destination that you created in the previous steps.
- Alternatively, you can also configure this in the rule function using
destinations().
- Alternatively, you can also configure this in the rule function using
- In the upper right corner of the page, click Update.
For more examples of alert routing, see Panther's documentation.