QUESTION

A rule was enabled in my Panther system, using the title as the deduplication string as it does by default. I want to add a dedup() function as described here, but I'm concerned that this change will break the current deduplication pattern and send an unwanted notification to security staff. 

ANSWER

When a dedup() function is added to a rule whose alerts have already been deduplicated, the next alert for that rule will still be deduplicated as long as it occurs within the deduplication period. No additional alert will be sent just because of the new dedup() function.