This demo is part of `telemetry-lab` and is intentionally small, local, and reviewer-friendly.

It focuses on alert semantics, not new AI behavior. The sample input is a committed set of raw rule hits that already fired before deduplication. The demo then applies deterministic cooldown handling and writes artifacts that explain which hits were kept, which were suppressed, and why.

The goal is to make repeated alert behavior legible.

Instead of only showing the final retained alerts, this demo shows:

- raw rule hits before deduplication

- retained alerts after cooldown handling

- per-hit suppression reasons

- a short report that explains how repeated hits collapsed into fewer alerts

From the repository root:

python -m pip install -e .

python -m telemetry_window_demo.cli run-rule-dedup-demo

Generated artifacts are written to `demos/rule-evaluation-and-dedup-demo/artifacts/`.

- sample data: `data/raw/sample_rule_hits.json`

- cooldown config: `config/dedup.yaml`

The bundled sample intentionally includes:

- repeated hits for the same rule and `entity`

- repeated hits for the same rule and `source`

- repeated hits with no scope fields, which fall back to rule-only dedup

- different scopes for the same rule, which stay independent

Cooldown keys use `(rule_name, scope)`.

Scope resolution follows the same precedence described in the main demo:

1. `entity`

2. `source`

3. `target`

4. `host`

5. unscoped rule-only fallback

That means repeated hits for the same rule can still be kept separately when their scopes differ.

- `artifacts/rule_hits_before_dedup.json`

- `artifacts/rule_hits_after_dedup.json`

- `artifacts/dedup_explanations.json`

- `artifacts/dedup_report.md`

- `rule_hits_before_dedup.json`: normalized raw hits with resolved cooldown scope and cooldown key

- `rule_hits_after_dedup.json`: only the retained alerts, including which suppressed hits each retained alert now represents

- `dedup_explanations.json`: one explanation record per raw hit, marked as either `retained` or `suppressed`

- `dedup_report.md`: a short reviewer-facing report with run counts, per-group summary, retained alert explanations, and suppressed hit reasons

1. Open `rule_hits_before_dedup.json` and note that several hits share the same `cooldown_key`.

2. Open `dedup_explanations.json` and verify that each raw hit is labeled `retained` or `suppressed` with a concrete reason.

3. Open `rule_hits_after_dedup.json` and confirm that retained alerts carry the suppressed hit ids they now represent.

4. Open `dedup_report.md` and confirm that the before/after counts and per-group behavior are readable without looking at code.

- input is precomputed rule hits, not live telemetry

- cooldown logic is intentionally simple and deterministic

- there is no streaming state, dashboard, or service deployment

- artifacts are designed for review, not production alert routing

[

{

"hit_id": "RH-001",

"rule_name": "login_fail_burst",

"severity": "high",

"alert_time": "2026-03-18T10:01:00Z",

"cooldown_scope": "entity=account:alice",

"scope_source": "entity",

"cooldown_key": "login_fail_burst|entity=account:alice",

"status": "retained",

"reason": "kept as the first hit for `login_fail_burst / entity=account:alice`.",

"group_position": 1,

"group_size": 3,

"cooldown_seconds": 180,

"suppressed_by_hit_id": null,

"seconds_since_last_retained": null,

"message": "login_fail_count reached 8, threshold is 8"

},

{

"hit_id": "RH-004",

"rule_name": "login_fail_burst",

"severity": "high",

"alert_time": "2026-03-18T10:01:20Z",

"cooldown_scope": "entity=account:bob",

"scope_source": "entity",

"cooldown_key": "login_fail_burst|entity=account:bob",

"status": "retained",

"reason": "kept as the first hit for `login_fail_burst / entity=account:bob`.",

"group_position": 1,

"group_size": 2,

"cooldown_seconds": 180,

"suppressed_by_hit_id": null,

"seconds_since_last_retained": null,

"message": "login_fail_count reached 8, threshold is 8"

},

{

"hit_id": "RH-002",

"rule_name": "login_fail_burst",

"severity": "high",

"alert_time": "2026-03-18T10:01:40Z",

"cooldown_scope": "entity=account:alice",

"scope_source": "entity",

"cooldown_key": "login_fail_burst|entity=account:alice",

"status": "suppressed",

"reason": "suppressed because it matched the same cooldown key as retained hit `RH-001` only 40 seconds later, inside the 180 second cooldown.",

"group_position": 2,

"group_size": 3,

"cooldown_seconds": 180,

"suppressed_by_hit_id": "RH-001",

"seconds_since_last_retained": 40,

"message": "login_fail_count reached 9, threshold is 8"

},

{

"hit_id": "RH-005",

"rule_name": "login_fail_burst",

"severity": "high",

"alert_time": "2026-03-18T10:02:00Z",

"cooldown_scope": "entity=account:bob",

"scope_source": "entity",

"cooldown_key": "login_fail_burst|entity=account:bob",

"status": "suppressed",

"reason": "suppressed because it matched the same cooldown key as retained hit `RH-004` only 40 seconds later, inside the 180 second cooldown.",

"group_position": 2,

"group_size": 2,

"cooldown_seconds": 180,

"suppressed_by_hit_id": "RH-004",

"seconds_since_last_retained": 40,

"message": "login_fail_count reached 10, threshold is 8"

},

{

"hit_id": "RH-003",

"rule_name": "login_fail_burst",

"severity": "high",

"alert_time": "2026-03-18T10:04:30Z",

"cooldown_scope": "entity=account:alice",

"scope_source": "entity",

"cooldown_key": "login_fail_burst|entity=account:alice",

"status": "retained",

"reason": "kept because 210 seconds elapsed since retained hit `RH-001`, which meets the 180 second cooldown.",

"group_position": 3,

"group_size": 3,

"cooldown_seconds": 180,

"suppressed_by_hit_id": null,

"seconds_since_last_retained": 210,

"message": "login_fail_count reached 8, threshold is 8"

},

{

"hit_id": "RH-006",

"rule_name": "high_error_rate",

"severity": "medium",

"alert_time": "2026-03-18T10:05:00Z",

"cooldown_scope": "source=api-01",

"scope_source": "source",

"cooldown_key": "high_error_rate|source=api-01",

"status": "retained",

"reason": "kept as the first hit for `high_error_rate / source=api-01`.",

"group_position": 1,

"group_size": 3,

"cooldown_seconds": 180,

"suppressed_by_hit_id": null,

"seconds_since_last_retained": null,

"message": "error_rate 0.46 exceeded 0.30"

},

{

"hit_id": "RH-007",

"rule_name": "high_error_rate",

"severity": "medium",

"alert_time": "2026-03-18T10:06:10Z",

"cooldown_scope": "source=api-01",

"scope_source": "source",

"cooldown_key": "high_error_rate|source=api-01",

"status": "suppressed",

"reason": "suppressed because it matched the same cooldown key as retained hit `RH-006` only 70 seconds later, inside the 180 second cooldown.",

"group_position": 2,

"group_size": 3,

"cooldown_seconds": 180,

"suppressed_by_hit_id": "RH-006",

"seconds_since_last_retained": 70,

"message": "error_rate 0.41 exceeded 0.30"

},

{

"hit_id": "RH-009",

"rule_name": "rare_event_repeat_malware_alert",

"severity": "high",

"alert_time": "2026-03-18T10:07:00Z",

"cooldown_scope": null,

"scope_source": "unscoped",

"cooldown_key": "rare_event_repeat_malware_alert|unscoped",

"status": "retained",

"reason": "kept as the first hit for `rare_event_repeat_malware_alert / unscoped`.",

"group_position": 1,

"group_size": 2,

"cooldown_seconds": 180,

"suppressed_by_hit_id": null,

"seconds_since_last_retained": null,

"message": "malware_alert repeated 2 times in one window"

},

{

"hit_id": "RH-010",

"rule_name": "rare_event_repeat_malware_alert",

"severity": "high",

"alert_time": "2026-03-18T10:08:00Z",

"cooldown_scope": null,

"scope_source": "unscoped",

"cooldown_key": "rare_event_repeat_malware_alert|unscoped",

"status": "suppressed",

"reason": "suppressed because it matched the same cooldown key as retained hit `RH-009` only 60 seconds later, inside the 180 second cooldown.",

"group_position": 2,

"group_size": 2,

"cooldown_seconds": 180,

"suppressed_by_hit_id": "RH-009",

"seconds_since_last_retained": 60,

"message": "malware_alert repeated 3 times in one window"

},

{

"hit_id": "RH-008",

"rule_name": "high_error_rate",

"severity": "medium",

"alert_time": "2026-03-18T10:08:30Z",

"cooldown_scope": "source=api-01",

"scope_source": "source",

"cooldown_key": "high_error_rate|source=api-01",

"status": "retained",

"reason": "kept because 210 seconds elapsed since retained hit `RH-006`, which meets the 180 second cooldown.",

"group_position": 3,

"group_size": 3,

"cooldown_seconds": 180,

"suppressed_by_hit_id": null,

"seconds_since_last_retained": 210,

"message": "error_rate 0.44 exceeded 0.30"

}

]

This deterministic demo shows how repeated raw rule hits turn into fewer retained alerts after cooldown handling.

Cooldown keys are built from `(rule_name, scope)`, where scope prefers `entity`, then `source`, then `target`, then `host`, and falls back to rule-only dedup when none are present.

- raw_rule_hits: 10

- retained_alerts: 6

- suppressed_hits: 4

- cooldown_seconds: 180

| Rule / scope | Raw hits | Retained | Suppressed | First seen | Last seen |

| --- | ---: | ---: | ---: | --- | --- |

| login_fail_burst / entity=account:alice | 3 | 2 | 1 | 2026-03-18T10:01:00Z | 2026-03-18T10:04:30Z |

| login_fail_burst / entity=account:bob | 2 | 1 | 1 | 2026-03-18T10:01:20Z | 2026-03-18T10:02:00Z |

| high_error_rate / source=api-01 | 3 | 2 | 1 | 2026-03-18T10:05:00Z | 2026-03-18T10:08:30Z |

| rare_event_repeat_malware_alert / unscoped | 2 | 1 | 1 | 2026-03-18T10:07:00Z | 2026-03-18T10:08:00Z |

- RH-001 kept for `login_fail_burst / entity=account:alice`; kept as the first hit for `login_fail_burst / entity=account:alice`.

Represents suppressed duplicates: RH-002.

- RH-004 kept for `login_fail_burst / entity=account:bob`; kept as the first hit for `login_fail_burst / entity=account:bob`.

Represents suppressed duplicates: RH-005.

- RH-003 kept for `login_fail_burst / entity=account:alice`; kept because 210 seconds elapsed since retained hit `RH-001`, which meets the 180 second cooldown.

- RH-006 kept for `high_error_rate / source=api-01`; kept as the first hit for `high_error_rate / source=api-01`.

Represents suppressed duplicates: RH-007.

- RH-009 kept for `rare_event_repeat_malware_alert / unscoped`; kept as the first hit for `rare_event_repeat_malware_alert / unscoped`.

Represents suppressed duplicates: RH-010.

- RH-008 kept for `high_error_rate / source=api-01`; kept because 210 seconds elapsed since retained hit `RH-006`, which meets the 180 second cooldown.

- RH-002 suppressed by RH-001 for `login_fail_burst / entity=account:alice`; suppressed because it matched the same cooldown key as retained hit `RH-001` only 40 seconds later, inside the 180 second cooldown.

- RH-005 suppressed by RH-004 for `login_fail_burst / entity=account:bob`; suppressed because it matched the same cooldown key as retained hit `RH-004` only 40 seconds later, inside the 180 second cooldown.

- RH-007 suppressed by RH-006 for `high_error_rate / source=api-01`; suppressed because it matched the same cooldown key as retained hit `RH-006` only 70 seconds later, inside the 180 second cooldown.

- RH-010 suppressed by RH-009 for `rare_event_repeat_malware_alert / unscoped`; suppressed because it matched the same cooldown key as retained hit `RH-009` only 60 seconds later, inside the 180 second cooldown.