Skip to main content
Panther Knowledge Base

Will specifying a dedup period delay a Panther alert for the duration of the set period?

  1. Last updated
  2. Save as PDF

QUESTION

Will specifying a dedup period delay an alert for the duration of the set period?

ANSWER

No, the dedup period will not delay an alert for the period it is set to. Instead, it adds more triggers of the rule to the same alert over the set dedup period.

Dedup works by grouping similar alerts together. When you first get a positive rule match, an alert is generated and delivered. For future or subsequent rule matches within that dedup period, we attach those matches to the first alert and do not send another alert notification. This is to avoid spamming.

Here is an example, if we have a rule with a dedup period of 1 hour:

10:07 - first rule match -> fires alert 
10:36 - second rule match -> attached to first alert 
10:42 - another rule match -> attached to first alert 
11:06 - another match -> attached to first alert 
11:07 - another match -> fires new alert, since it's been 1 hour (or  more) since we got the first event 
11:12 - another match -> get's attached to the second alert 
...

Please see Panther's documentation on Deduplication for more information.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.