I'd like the detection to be able to be customised to dynamically return (e.g. via a count() function or some such) how many detections have occurred by processing the one log line.
Implementation wise, not sure. run_detection() could return an array of alert data, or create_alert() could create multiple alerts based on a number returned in alert_response. The more efficient way might be to change the threshold logic to respect an "occurrences" number or something in an alert.
Just dealing with a Google workspace log, this is how it reports 5 failed logins:
I'd like the detection to be able to be customised to dynamically return (e.g. via a
count()
function or some such) how many detections have occurred by processing the one log line.Implementation wise, not sure.
run_detection()
could return an array of alert data, orcreate_alert()
could create multiple alerts based on a number returned inalert_response
. The more efficient way might be to change the threshold logic to respect an "occurrences" number or something in an alert.