Hello fam, got a question for ya'll:

Suppose I have an alert that contains an entry like device=xyz
Suppose I am able to query historical data and determine information like:
device=abc, seen 50 times
device=lmk, seen 25 times
I'd like to basically answer this question: "is the alerted on device within the typically seen historical devices?"
In this case, the answer would be no .

I know I can write a custom action to do this, but I'm trying to stay within the Siemplify cage for supportability.
Also, this is eventually intended to be sent out with a Cisco DUO MFA Integration, Connector and Usecase that'll be shared

Suppose my question would be: How can I do this? Let's say the API query will return all the devices seen, but won't count how many occurrences. So I'll need something to count occurrences, account for a threshold, compare to the alerted device and spit out True/False