We use the Google Chronicle Alerts connector with dynamic environment routing:
- Environment Field Name:
event_metadata_baseLabels_namespaces_1 - Environment Regex Pattern:
^(IFAP|UNIFAP|IFPI)$
This correctly routes alerts from mapped namespaces (IFAP, UNIFAP → SOC-AP environment; IFPI → SOC-PI environment). Namespaces not matched by the regex (e.g., IFES, IFTM) correctly fall back to the Default Environment.
Problem: Even though unmatched namespaces fall back to Default as intended, we keep receiving email notifications:
"Alerts were ingested into Environment IFES which does not exist in the system. Please create this Environment in the Settings in order to see the alerts."
These institutions don't have a dedicated SOC yet, so we intentionally want them in Default — not their own environment.
Questions:
- Is there a supported way to suppress these "environment does not exist" notifications without creating an environment for every namespace?
- Can the connector be configured so unmatched namespaces route silently to Default without triggering the notification?
- We checked User Preferences > Notifications (Cases) — this notification type isn't listed there. Where is it controlled?
We expect many new namespaces over time (one per institution), so creating an environment for each just to silence the alert isn't scalable.
