Skip to main content
Panther Knowledge Base

How do I set up separate destinations for detections with the same log type?

  1. Last updated
  2. Save as PDF

Question


If we want to import a log type from a secondary source, all of the existing alerts would fire and route to existing channels. If we want that new source to keep its data (and alerts) fully partitioned, we would need to create a new schema name. Is there another way to do this?

 

Answer

You can make a destinations function in your rule's Python code that can switch the destination dynamically using the p_source_label Panther-generated field. Note that all rules with that log type will need to be updated to include this logic.

All alerts produced from a particular log type will push to the same destinations. If you have more than one log source and want to separate the destinations per log source, the rules will need to be updated to account for that.