better deduplication of alerts (#1331)

Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>

rules/gcp_k8s_rules/gcp_k8s_pod_create_or_modify_host_path_vol_mount.py

@@ -67,6 +67,12 @@ def title(event):
     )
 
 
+def dedup(event):
+    return deep_get(
+        event, "protoPayload", "authenticationInfo", "principalEmail", default="<ACTOR_NOT_FOUND>"
+    )
+
+
 def alert_context(event):
     context = gcp_alert_context(event)
     volume_mount_path = deep_walk(

rules/gcp_k8s_rules/gcp_k8s_pod_create_or_modify_host_path_vol_mount.yml

@@ -18,6 +18,7 @@ Reports:
     - TA0001 # Initial Access
     - TA0002 # Execution
 Filename: gcp_k8s_pod_create_or_modify_host_path_vol_mount.py
+DedupPeriodMinutes: 360
 Tests:
   - Name: Pod With Suspicious Volume Mount Created
     ExpectedResult: true

rules/gcp_k8s_rules/gcp_k8s_privileged_pod_created.py

@@ -35,6 +35,12 @@ def title(event):
     return f"[GCP]: [{actor}] created a privileged pod [{pod_name}] in project [{project_id}]"
 
 
+def dedup(event):
+    return deep_get(
+        event, "protoPayload", "authenticationInfo", "principalEmail", default="<ACTOR_NOT_FOUND>"
+    )
+
+
 def alert_context(event):
     context = gcp_alert_context(event)
     containers_info = deep_walk(event, "protoPayload", "response", "spec", "containers", default=[])

rules/gcp_k8s_rules/gcp_k8s_privileged_pod_created.yml

@@ -18,6 +18,7 @@ Reference: https://www.golinuxcloud.com/kubernetes-privileged-pod-examples/
 Reports:
   MITRE ATT&CK:
     - TA0004:T1548 # Abuse Elevation Control Mechanism
+DedupPeriodMinutes: 360
 Tests:
   - Name: Privileged Pod Created
     ExpectedResult: true