Issue

In my detection, there are scenarios where I want the alert deduplication period to be different from my default. Does Panther provide a function like dedup_minutes that I can use?

Resolution

Panther does not currently provide such a function, but you can work around this requirement by being creative with your dedup function.

  1. First, at the top of your detection code, import the time module.

  2. Write your dedup function as you normally would.

  3. Add some logic to calculate when how long the dedup period (in minutes) should be.

  4. Adjust the return value to return the usual dedup string, plus the suffix shown in the example.

Note that using this method, you can make the effective dedup period shorter, but not longer.

Example:

import time

... other detection code here ...

def dedup(event):
    # Determine the dedup string as you normally would:
    dedup_str = ... 
    
    # Specify the dynamic dedup period, using whatever logic is necessary
    dedup_minutes = ...
    
    # Return the dedup_str, plus the special suffix
    dedup_seconds = dedup_minutes * 60 # Convert dedup period from minutes to seconds
    return dedup_str + str(time.time() // dedup_seconds * dedup_seconds)

Explanation

This process works by using the current time inside the dedup string, grouping alerts over specific intervals. If the time passes from one interval to the next, the dedup string will change, triggering a new alert to be raised.

Let's walk through the code more directly: