Skip to main content
Panther Knowledge Base

Is there a way to specify the destination in a Panther detection's YML file?

  1. Last updated
  2. Save as PDF

QUESTION

When writing a detection, how do I specify an alert destination override in the YML file?

ANSWER

You can add the ID of a destination in the OutputIds field of the YML file. This field is where we store a detection's Destination Overrides. To get the destination ID for use in this field, visit your Panther Console, go to Configure > Alert Destinations, search for your desired destination, and left-click its title to open it.

Using Destination Overrides, all alerts from this detection will go to the destinations specified there. If you want to override normal routing but still control the routing explicitly, e.g. based on available log attributes, see our documentation here about using the destinations() function in your detection code.