Do you have an example of a detection looking for multiple specific commands from a single user within a short time window?
For this implementation, it is recommended to use Caching by implementing our native caching functions through Panther's open-source (global helper) library panther_oss_helpers
. Using the caching functions, you can temporarily cache data about a specific event and then retrieve that data later by specifying a key.
You can see an example of this in Panther's Github repo, where caching is used to test whether a user has 2 login actions occur in a short amount of time across an improbable distance.