How can I setup a Panther detection such that each event gets sent as its own separate alert?
QUESTION
How do I disable deduplication for my Panther detections? I want each event to be sent as a single alert.
ANSWER
To setup a detection that will send a separate alert for each incoming event:
- Log in to the Panther Console.
- Go to Build > Detections. Select the Detection you would like to edit. Click Edit.
- Set the Deduplication Period low.
- This is how long Panther will wait to group events together. Since you don't want alerts grouped, you can use the lowest setting here.
- Set the Events Threshold to 1.
- This is how many events Panther will attempt to group together.
- Edit your detection code to use the row ID for dedup - this ID is unique for every event that comes into Panther.
a. For Simple Detections (YAML Detections), set the GroupBy
to:
GroupBy: - Key: p_row_id
b. For Python Detections, use the following dedup
function:
def dedup(event): return event.get('p_row_id', '')