How can we halt duplicate notables from being created on the Enterprise security Incident Review page for the same event id? Do any parameters need to be changed?
Ranging from earliest to latest: -70M to -10M
every 35 minutes on a cron plan
All correlation inquiries experience it.
Hi @kanyewestnewmer,
Since you are running the exact correlation twice in the same time range, it is normal having duplicate notables. You should use 60 minutes as a cron plan or throttling on the event_id field.