Why is my Panther detection triggering more alerts than specified in my deduplication period and threshold setup?
QUESTION
I have set up a detection with a deduplication period of 1 hour and a threshold of 1. However, I received 65 single-event alarms within an hour. Why is my detection triggering more alerts than specified by my deduplication period and threshold setup?
ANSWER
If you are seeing a different outcome than specified by your deduplication period and threshold setup, you should check if you are forcing a different logic by using the dedup() function in your Python code. This can directly affect the functionality of the deduplication and overwrite your detection settings.
For more information, feel free to check our knowledge base article about how deduplication and threshold work, as well as our documentation page.