https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693200#M16128 <P>Yeah maybe some others will chime in. The only thing I can think of is that the number of alerts that show up in Triggered Alerts would be different depending on which option ("Once" or "For each") you select. I saw this <A title="Notable Response Actions -- Is there a way to override the standard Trigger Condition rule?" href="https://community.splunk.com/t5/Security/Notable-Response-Actions-Is-there-a-way-to-override-the-standard/m-p/603842" target="_blank" rel="noopener">post</A> which is sort of similar, but no one responded to it.&nbsp;</P> Fri, 12 Jul 2024 17:34:22 GMT mobrien1 2024-07-12T17:34:22Z https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693108#M16122 <P>I wanted to get some clarification on how trigger conditions effect n<SPAN>otable response actions for correlation searches in Enterprise Security. The trigger condition options are between "Once" and "For each Result", and I believe I understand the difference. However, under them there is a little blurb that says "Notable response actions and risk response actions are always triggered for each result."</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mobrien1_0-1720722111909.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31714i1F4259F89AEB215A/image-size/large?v=v2&amp;px=999" role="button" title="mobrien1_0-1720722111909.png" alt="mobrien1_0-1720722111909.png" /></span></P><P>To me, this essentially nullifies "Once" since the action will be triggered for each result. As a result, I fail to see how "Once" is any different than&nbsp;<SPAN>"For each Result". But surely they can't be the same.&nbsp;</SPAN></P> Thu, 11 Jul 2024 18:31:06 GMT https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693108#M16122 mobrien1 2024-07-11T18:31:06Z https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693147#M16125 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266258">@mobrien1</a>&nbsp;,</P><P>I suppose that the meanng of the affermation is that e.g. risk score is counted for each value you can find in the results of your Correlation Search, so if you have more hosts in the results, the Risk Score is counted for all of them.</P><P>But, why did you posted this question?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 12 Jul 2024 07:06:05 GMT https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693147#M16125 gcusello 2024-07-12T07:06:05Z https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693193#M16126 <P>I think I would agree with your first statement.</P><P>But the reason I posted this question is that the phrase "<SPAN>Notable response actions and risk response actions are always triggered for each result." effectively makes "Once" and "For each result" the same thing (at least in my mind). But they are two distinct options, so I feel like they can't be the same. This makes me think I'm misunderstanding something.&nbsp;</SPAN></P> Fri, 12 Jul 2024 13:59:21 GMT https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693193#M16126 mobrien1 2024-07-12T13:59:21Z https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693195#M16127 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266258">@mobrien1</a>&nbsp;,</P><P>maybe&nbsp;<SPAN>&nbsp;"Once" and "For each result" became from Alerts.</SPAN></P><P><SPAN>I don't find any other answer.</SPAN></P><P>let me know if I can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 12 Jul 2024 14:04:19 GMT https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693195#M16127 gcusello 2024-07-12T14:04:19Z https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693200#M16128 <P>Yeah maybe some others will chime in. The only thing I can think of is that the number of alerts that show up in Triggered Alerts would be different depending on which option ("Once" or "For each") you select. I saw this <A title="Notable Response Actions -- Is there a way to override the standard Trigger Condition rule?" href="https://community.splunk.com/t5/Security/Notable-Response-Actions-Is-there-a-way-to-override-the-standard/m-p/603842" target="_blank" rel="noopener">post</A> which is sort of similar, but no one responded to it.&nbsp;</P> Fri, 12 Jul 2024 17:34:22 GMT https://community.splunk.com/t5/Alerting/Once-vs-For-Each-Notable-Response-Actions-Clarification/m-p/693200#M16128 mobrien1 2024-07-12T17:34:22Z