QUESTION

How do I surface a list of strings that is updated with each event in a rule with a threshold?

ANSWER

To store and accumulate data across multiple events that are combined using thresholds, you can use Panther's caching functionality. This approach is effective when you want to alert after a set number of distinct values rather than just counting total events, and it provides near-realtime alerting.