Skip to main content
Panther Knowledge Base

How can I setup a Panther detection such that each event gets sent as its own separate alert?

  1. Last updated
  2. Save as PDF

QUESTION

How do I disable deduplication for my Panther detections? I want each event to be sent as a single alert.

ANSWER

To setup a detection that will send a separate alert for each incoming event:

  1. Log in to the Panther Console.
  2. Go to Build > Detections. Select the Detection you would like to edit. Click Edit.
  3. Set the Deduplication Period low.
    • This is how long Panther will wait to group events together. Since you don't want alerts grouped, you can use the lowest setting here.
  4. Set the Events Threshold to 1.
    • This is how many events Panther will attempt to group together.
  5. Edit your detection code to use the row ID for dedup - this ID is unique for every event that comes into Panther.

a. For Simple Detections (YAML Detections), set the GroupBy to:

GroupBy:
  - Key: p_row_id​​​​​

b. For Python Detections, use the following dedup function:

def dedup(event):
    return event.get('p_row_id', '')
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.