Custom Detection Rules - Detect Unique Values

I have created a custom detection rule that looks at our firewall logs and matches IP sweeps from external sources. This detection rule will trigger a workflow which checks to see if the IP is malicious, and if so adds it to a blacklist on our firewall.

Due to the number of sweeps we encounter, I want to make sure I only run it once per IP address, rather than on every instance. Is this where I could use the “Detect on unique values in a specific key (optional)” function or am I misunderstanding what this option does? Do I just need to add the IP source key to this so it only triggers on unique IPs?

Apologies for delay in reply, and yes you are correct. If you add the source IP key to that function you will only get alerted once per unique source IP address.
Please let me know if you need anymore help on this.

Hey crawford, any update about your request ? I am interested in the topic. Were you able to complete your workflow, and would you be willing to share it ?