Can I configure my Panther alert destination to receive scheduled rule alerts for a specific log type?

QUESTION

Can I configure my Panther alert destination to receive scheduled rule alerts for a specific log type?

ANSWER

No, Panther's alert destinations currently do not support filtering scheduled rule alerts by log type. The "Log Types" setting in alert destinations applies only to real-time rules or correlation rules.

Scheduled rules operate on query results, which can include data from multiple log types or even entirely generated datasets. Because of this flexibility, scheduled rules do not have a fixed log type.

In summary, scheduled rules don’t technically have log types, nor do policies or system errors. If your destination is configured to receive alerts of any of these types, it will receive all of them.

Note: When a rule uses a destinations() function or a static destination override, Panther routes the alert directly to the specified destination(s) and may bypass certain destination-level filters. If a destination named in the override is later deleted or becomes unresolvable, Panther falls back to default routing, at which point destination-level filters are re-applied. For this reason, it's a good practice to keep your destination's alert type configuration accurate even when using overrides — this ensures alerts continue routing correctly if the override is ever removed or a named destination changes.