QUESTION

I would like to manually create a test alert in Panther, and have it route to the appropriate destinations. Is this possible?

ANSWER

Panther does not currently support manually creating test alerts. However, it is possible to create a test alert with a workaround using a scheduled rule.

WORKAROUND

You'll create a Scheduled Search that always returns true, then a scheduled rule associated to that Scheduled Search, which routes test alerts to your desired destination.

1. Create a Scheduled Search that always returns true.

   1. Navigate to Search -> Data Explorer

   2. Enter a query that always returns true, e.g., simply SELECT true or SELECT 1.

   3. Click Save as.

   4. Set Is this a Scheduled Search? to ON.

   5. Set Is it active? to ON.

   6. Click Cron Expression, then set the query to run however many minutes past the hour, every hour, every day.

      • The number of minutes past the hour will depend on when you are sending the test alert. For example, if the current time is 2:40PM, set it to 42 minutes past the hour. In about 2 minutes time, the scheduled query will run, which will trigger the scheduled rule.

   7. Click Save Search once the query has been configured.

2. Create a scheduled rule.

   1. Navigate to Detections -> Create New -> Scheduled Rule.

   2. Within your scheduled rule, configure a title you would like returned.

   3. In the For the Following Scheduled Queries dropdown, select the Scheduled Query that always returns true that you created above.

      

   4. To ensure the alert gets sent to your desired destination (regardless of that destination's configuration), click the drop-down for Optional Fields and set the Destination Overrides to the desired destination.

      

   5. Ensure Create Alert is turned ON.

   6. Check that the Rule is Enabled and click Deploy.

From here, feel free to adjust the number of minutes past the hour in the Cron Expression of the Scheduled Search to work with your testing (in Step 1).