1
and a deduplication period of 1h
, meaning all events returning True
from a rule would be appended to the alert within the hour after first being generated.5
and a deduplication period of 15m
, an alert would not trigger until 5 or more rule matches have occurred within 15 minutes.rule
function that looks for 200 (OK) web requests to any URL with the admin-panel
string.title
to say that admin panel logins have been logged into from a specific IP address.dedup
function to group all events by the same IP address.Successful admin panel login detected from 180.76.15.143
180.76.15.143
would be appended to the alertConfiguration Required
is used to label the detections requiring changes prior to enabling in production. Filter detections with this tag on the main Detections page.get
function, which works by first checking that the key exists prior to accessing its value. This avoids the common KeyError
scenario within a rule: