Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sync] improved dedup for GuardDuty passthrough alerts (#57) #1082

Merged
merged 2 commits into from
Jan 30, 2024
Merged

[sync] improved dedup for GuardDuty passthrough alerts (#57) #1082

merged 2 commits into from
Jan 30, 2024

Conversation

egibs
Copy link
Contributor

@egibs egibs commented Jan 30, 2024

Background

Identifies duplicate GuardDuty alerts and groups them into single alerts in Panther.

Changes

  • Change dedup string from event.id to event.title, since event.id is highly unique and offers no deduplication potential
  • Change dedup interval for high/med/low sev GuardDuty alerts from 1/1/8 hours to 1/8/24 hours

Testing

  • make fmt, make lint, make test
  • Based on observations from AWS GuardDuty alert volumes in production environments

@arielkr256
improved dedup for GuardDuty passthrough alerts (#57)
e95cff7 
* improved dedup for GuardDuty passthrough alerts

* default dedup function using alert title
@egibs egibs requested review from a team January 30, 2024 18:57
@egibs egibs enabled auto-merge (squash) January 30, 2024 20:16
@egibs egibs merged commit b1d1c26 into main Jan 30, 2024
6 checks passed
@egibs egibs deleted the egibs-sync-57 branch January 30, 2024 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @arielkr256