How do I disable deduplication for my Panther detections? I want each event to be sent as a single alert.
To setup a detection that will send a separate alert for each incoming event:
Log in to the Panther Console.
Go to Build > Detections. Select the Detection you would like to edit. Click Edit.
Set the Deduplication Period low.
This is how long Panther will wait to group events together. Since you don't want alerts grouped, you can use the lowest setting here.
Set the Events Threshold to 1.
This is how many events Panther will attempt to group together.
Edit your detection code to use the row ID for dedup - this ID is unique for every event that comes into Panther.
a. For Simple Detections (YAML Detections), set the GroupBy
to:
GroupBy:
- Key: p_row_id
b. For Python Detections, use the following dedup
function:
def dedup(event):
return event.get('p_row_id', '')