How can I ensure that only alerts originating from a specific log source are received by a specific destination in Panther?

Last updated: September 11, 2025

QUESTION

I want to ensure that only Alerts originating from a specific log source (names starting with "text-") are received by a specific destination.

ANSWER

It is possible to conditionally route alerts to specific destinations at the individual detection level. You should be able to express this logic via the destinations() alert function, making use of the p_source_label field that gets stored on each log event. You can see an example below:

def destinations(event):     
    if event.get("p_source_label").startswith("text-"):         
        return ["slack-security-alerts"] ### Name or UUID of destination     
    # Do not send alert to an external destination     
    return []