Skip to main content
Panther Knowledge Base

How can I setup a Panther detection such that each event gets sent as its own separate alert?

  1. Last updated
  2. Save as PDF

QUESTION

How do I disable deduplication for my Panther detections? I want each event to be sent as a single alert.

ANSWER

To setup a detection that will send a separate alert for each incoming event:

  1. Log in to the Panther Console.
  2. Go to Build > Detections. Select the Detection you would like to edit. Click Edit.
  3. Set the Deduplication Period low.
    • This is how long Panther will wait to group events together. Since you don't want alerts grouped, you can use the lowest setting here.
  4. Set the Events Threshold to 1.
    • This is how many events Panther will attempt to group together.
  5. In the Functions and Tests tab, you can edit your Python code and add a def dedup(event): function. The return value of this function should be a string that will be used as a key that tells Panther which events to group together. If you don't want any events to be grouped together, then you will want the return value of this function to be something unique, such as a UUID of the event itself, or potentially a timestamp of the current time. See here in our docs for more details on deduplication.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.