QUESTION

How does alert routing for scheduled rules work in Panther when a scheduled rule relies on multiple queries drawing from various log types? Do all log types need to be included in the "Log Types" selector for the alert destination, or is one log type sufficient?

ANSWER

When configuring your alert destination, think of Severity Levels, Default Alert Types, and Log Type selections as filters. These filters play a vital role in determining which alerts are sent to specific destinations.

If you have a scheduled rule that relies on multiple queries, the Log Type filter in your destination's settings becomes pivotal. It determines which log types trigger alerts for that particular destination.

In the scenario where you configure the Log Type filter to match only one of the log types that your queries rely on, the alert destination will receive alerts exclusively for that log type. Even if all your queries match the rule, the alerts will remain confined to the selected log type.

To create an alert destination that is tailored to a specific scheduled rule, consider these steps:

Remember that destination overrides in your scheduled rule can override the Log Type filter and other destination settings. If you've enabled a destination override in your rule, it takes precedence over destination-level configurations.

In summary, to ensure that your alert destination receives alerts based on specific criteria, include all relevant log types in the Log Type selector. If you want to receive alerts for scheduled rules across all log types, configure a destination with no Log Type filter and set Default Alert Types to 'Scheduled Rule Matches' and 'Scheduled Rule Errors.'