Is there a way to set a detection to a "test" stage (instead of enable or disable), where it matches on production logs, but the alerts can be configured to be sent to a different destination?
Yes. Depending on whether you use the developer workflow or work straight out of the Panther Console, you can use destination overrides.
In the Panther Console:
Go to Build > Detections.
Click the 3 dots icon on the right side of a rule then click Edit.
Under the “Rule Settings” tab, click the Destination Overrides dropdown menu. Select the destinations where you would prefer to send the alerts while testing.
When testing is complete, remove the overrides, and the original severity level-based system will determine the alert destinations for your alerts.
Using Developer Workflows:
To change the destination in-code, you can use the destinations
function. The return type is a list of either destination names or UUIDs to send your alerts.
Here's an example:
TEST_MODE = True
TEST_DESTINATIONS = ["test alert destination"] # Replace with the name or UUID of your test destination
def rule(event):
# Replace with your rule logic
return True
def destinations(event):
if TEST_MODE:
return TEST_DESTINATIONS
While you have TEST_MODE
set to True, your rule will send any alerts to the destinations listed in TEST_DESTINATIONS
. When you’re ready to go to production, you can either set TEST_MODE
to False or simply remove the TEST_MODE
logic from the destinations
function if you don’t plan to use it again.
For more information on the destinations
function, check out Panther's Detections documentation.