I want to ensure that only Alerts originating from a specific log source (names starting with "text-") are received by a specific destination.
It is possible to conditionally route alerts to specific destinations at the individual detection level. You should be able to express this logic via the destinations()
alert function, making use of the p_source_label
field that gets stored on each log event. You can see an example below:
def destinations(event):
if event.get("p_source_label").startswith("text-"):
return ["slack-security-alerts"] ### Name or UUID of destination
# Do not send alert to an external destination
return ["SKIP"]