Splunk Enterprise Security - Notable limit


Hi all,

I have Splunk ES, with a bunch of rules.

The issue is that correlation rules generate notables for each result, which sometimes cause to a flood of notable alerts. In cases when a new wide and legitimate activity is detected (and wasn't excluded yet from the rule), tons of alerts are being created.

I look for a way to limit the number of notables alerts that each rule can generate, but to do it general, for all the rules, without manually modifying each rule.

Is this possible?



Name of rule: Test rule

Number of results: 500

Notable alerts: 20



Labels (1)
Tags (3)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!