Is there a way to send my alerts to a different destination while testing my new Panther detection?
QUESTION
Is there a way to set a detection to a "test" stage (instead of enable or disable), where it matches on production logs, but the alerts can be configured to be sent to a different destination?
ANSWER
Yes. Depending on whether you use the developer workflow or work straight out of the Panther Console, you can use destination overrides.
- In the Panther Console:
- Go to Build > Detections.
- Click the 3 dots icon on the right side of a rule then click Edit.
- Under the “Rule Settings” tab, click the Destination Overrides dropdown menu. Select the destinations where you would prefer to send the alerts while testing.
- When testing is complete, remove the overrides, and the original severity level-based system will determine the alert destinations for your alerts.
- Using Developer Workflows:
- To change the destination in-code, you can use the
destinations
function. The return type is a list of either destination names or UUIDs to send your alerts.
Here's an example:
- To change the destination in-code, you can use the
TEST_MODE = True TEST_DESTINATIONS = ["test alert destination"] # Replace with the name or UUID of your test destination def rule(event): # Replace with your rule logic return True def destinations(event): if TEST_MODE: return TEST_DESTINATIONS
While you have TEST_MODE
set to True, your rule will send any alerts to the destinations listed in TEST_DESTINATIONS
. When you’re ready to go to production, you can either set TEST_MODE
to False or simply remove the TEST_MODE
logic from the destinations
function if you don’t plan to use it again.
For more information on the destinations
function, check out Panther's Detections documentation.