Is there a way to send my alerts to a different destination while testing my new Panther detection?
QUESTION
Is there a way to set a detection to a "test" stage (instead of enable or disable), where it matches on production logs, but the alerts can be configured to be sent to a different destination?
ANSWER
Yes. Depending on whether you use the developer workflow or work straight out of the Panther Console, you can use destination overrides.
- In the Panther Console:
- Go to Build > Detections.
- Click the 3 dots icon on the right side of a rule then click Edit.
- Under the “Rule Settings” tab, click the Destination Overrides dropdown menu. Select the destinations where you would prefer to send the alerts while testing.
- When testing is complete, remove the overrides, and the original severity level-based system will determine the alert destinations for your alerts.
- Using Developer Workflows:
- To change the destination in-code, you can use the
destinationsfunction. The return type is a list of either destination names or UUIDs to send your alerts.
Here's an example:
- To change the destination in-code, you can use the
TEST_MODE = True
TEST_DESTINATIONS = ["test alert destination"] # Replace with the name or UUID of your test destination
def rule(event):
# Replace with your rule logic
return True
def destinations(event):
if TEST_MODE:
return TEST_DESTINATIONS
While you have TEST_MODE set to True, your rule will send any alerts to the destinations listed in TEST_DESTINATIONS. When you’re ready to go to production, you can either set TEST_MODE to False or simply remove the TEST_MODE logic from the destinations function if you don’t plan to use it again.
For more information on the destinations function, check out Panther's Detections documentation.