QUESTION

Is the deduplication period setting still enforced in Panther if the detection has a custom dedup() function?

ANSWER

Yes, a deduplication period field will still be enforced when there is a dedup() function defined. This is because the dedup() function only defines the deduplication string. Alerts with the same deduplication string (set by the dedup() function), within the deduplication period (set by the deduplication period field), will be aggregated. These two settings work together.

For more details about deduplication and threshold, please see this article.📄 How deduplication and threshold work in Panther