We usually see the threat correlation alert suppressed basis on the filed specified as per snap attached. It does work when there is any suspicious IP address reported, but not for URLs, say if the domain is registered as blacklisted and if the traffic hitting to that domain having different URLs, it triggered all those alerts.
How can we suppress these into one, if the domain is the same? Added additional field (threat_collection_key) to suppress URLs but seems not working here. Is there any workaround?