1and a deduplication period of
1h, meaning all events returning
Truefrom a rule would be appended to the alert within the hour after first being generated.
5and a deduplication period of
15m, an alert would not trigger until 5 or more rule matches have occurred within 15 minutes.
rulefunction that looks for 200 (OK) web requests to any URL with the
titleto say that admin panel logins have been logged into from a specific IP address.
dedupfunction to group all events by the same IP address.
Successful admin panel login detected from 18.104.22.168
22.214.171.124would be appended to the alert
Configuration Requiredis used to label the detections requiring changes prior to enabling in production. Filter detections with this tag on the main Detections page.
getfunction, which works by first checking that the key exists prior to accessing its value. This avoids the common
KeyErrorscenario within a rule: