The destinations() function in Panther detections allows you to dynamically route alerts to specific destinations. This article explains how the function impacts alert routing and what happens when you don't return anything from it.
The destinations() function in Panther provides fine-grained control over alert routing. Here's how the routing works:
If you don't include a destinations() function in your Python detection, alerts are sent to specific destinations based on severity level or log type event, as configured in your detection and alert settings.
If you define a destinations() function but it doesn't return anything (i.e., it returns None), Panther will fall back to the default routing behavior. This means:
It will first check for any static destination overrides defined in the detection's YAML file or the Console.
If no static overrides are found, it will use the configurations on the destinations themselves, based on severity level, alert type, and log type.
If the destinations() function returns an empty list ([]) or includes "SKIP", the alert will not be routed to any destination.
The destinations() function takes precedence over other routing configurations when it returns a non-None value.
For more detailed information on alert routing scenarios, please refer to Panther's documentation on alert routing scenarios.