1and a deduplication period of
1h, meaning all events returning
Truefrom a rule would be appended to the alert within the hour after first being generated.
rulefunction that looks for 200 (OK) web requests to any URL with the
titleto say that admin panel logins have been logged into from a specific IP address
dedupfunction to group all events by the same IP address
Successful admin panel login detected from 184.108.40.206
220.127.116.11would be appended to the alert
Configuration Requiredis used to label the detections requiring changes prior to enabling in production. Filter detections with this tag on the main Detections page.
getfunction, which works by first checking that the key exists prior to accessing its value. This avoids the common
KeyErrorscenario within a rule: