QUESTION

When writing a detection, how do I specify an alert destination override in the YML file? Is it possible to add a destination configuration to a simple detection rule?

ANSWER

You can add the ID of a destination in the OutputIds field of the YML file. This field is where we store a detection's Destination Overrides. To get the destination ID for use in this field, visit your Panther Console, go to Configure > Alert Destinations, search for your desired destination, and left-click its title to open it.

Using Destination Overrides, all alerts from this detection will go to the destinations specified there. If you want to override normal routing but still control the routing explicitly, e.g. based on available log attributes, see our documentation here about using the destinations() function in your detection code.

It is possible to add a destination configuration to a simple detection rule, by using the key OutputIds which is a list of strings. The exact definition of this key is that it's used for Static destination overrides. These will be used to determine how alerts from this rule are routed, taking priority over default routing based on severity.

You can refer to our documentation to find all the relevant information about the Simple (YAML) rules and their syntax.