Hello Everyone,
Unfortunately I may not be thinking outside of the box far enough for this one. Essentially a search is ran to identify a "critical" value within a "threat level" field, and from that search we alert based on the "attack name" field. The issue I am coming across is when creating the alert action, suppression (throttling) is based on the entire search. So in the event that 1 "attack name" out of 1,000 triggers the alert, it is suppressed for example 4 hours. This is an issue because I would like to alert for any attack name and only suppress if the attack name is identical. Without creating a alert for every single "attack name".
Assume 3 events are logged
1) 12:10 - Threat Level = Critical ; Attack Name = 123 (Alert via email)
2) 12:30 - Threat Level = Critical ; Attack Name = 654 (Alert via email)
3) 12:50 - Threat Level = Critical ; Attack Name = 123 (No alert, suppressed by event 1)
4) 12:54 - Threat Level = High ; Attack Name = 921 (No alert, threat level not = to Critical)
Thoughts and Ideas?
Thanks,
Justin
... View more