I have created a custom detection rule that looks at our firewall logs and matches IP sweeps from external sources. This detection rule will trigger a workflow which checks to see if the IP is malicious, and if so adds it to a blacklist on our firewall.
Due to the number of sweeps we encounter, I want to make sure I only run it once per IP address, rather than on every instance. Is this where I could use the “Detect on unique values in a specific key (optional)” function or am I misunderstanding what this option does? Do I just need to add the IP source key to this so it only triggers on unique IPs?