How does alert routing for scheduled rules work in Panther when a scheduled rule relies on multiple queries drawing from various log types? Do all log types need to be included in the "Log Types" selector for the alert destination, or is one log type sufficient?
When configuring your alert destination, think of Severity Levels, Default Alert Types, and Log Type selections as filters. These filters play a vital role in determining which alerts are sent to specific destinations.
If you have a scheduled rule that relies on multiple queries, the Log Type filter in your destination's settings becomes pivotal. It determines which log types trigger alerts for that particular destination.
In the scenario where you configure the Log Type filter to match only one of the log types that your queries rely on, the alert destination will receive alerts exclusively for that log type. Even if all your queries match the rule, the alerts will remain confined to the selected log type.
To create an alert destination that is tailored to a specific scheduled rule, consider these steps:
- Configure your destination's Default Alert Types as 'Scheduled Rule Matches' and 'Scheduled Rule Errors.'
- Ensure that you include all log types your queries rely on in the Log Type selector. This setup ensures that the destination exclusively receives alerts from scheduled rules that meet these criteria.
Remember that destination overrides in your scheduled rule can override the Log Type filter and other destination settings. If you've enabled a destination override in your rule, it takes precedence over destination-level configurations.
In summary, to ensure that your alert destination receives alerts based on specific criteria, include all relevant log types in the Log Type selector. If you want to receive alerts for scheduled rules across all log types, configure a destination with no Log Type filter and set Default Alert Types to 'Scheduled Rule Matches' and 'Scheduled Rule Errors.'