We are getting noisy alerts (more than 1000 similar alerts this month) from a single detection, can you please suggest if we can tune them or any better solution to handle it without interrupting our workflow?
Based on the logic of the detection, you can tune accordingly the deduplication period as well as the threshold for each alert being generated.
In general, deduplication specifies the timeframe that similar alarm events will be grouped together and will trigger a single alert.
Threshold, on the other hand, specifies how many events need to trigger this rule before an alert will be sent.
These two values can be configured and work together as described below:
A detection with an event threshold of 5
and deduplication period of 1 hour
would not trigger an alert until five or more events (with the same deduplication string) passed into the rule
function and returned True
within a 1-hour time period.
Generally, using these features does not result in any significant performance increases, and they are always preferred if they can be used as an alternative to caching.
For more information and additional examples check our documentation page on how deduplication and threshold works in Panther.