max_per_result_alerts On prem: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf max_per_result_alerts = <integer> * Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts) * Only applies in non-digest mode alerting. Use 0 to disable this limit * Default: 500   Cloud: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Config/ManageLimits max_per_result_alerts Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. "minValue": 250 "maxValue": 5000 "defaultValue": 500     lrh ... View more

Hello, If two Threat Intel Feeds contain the same Object e.g. the IP range 111.221.57.0/24 then the Threat Artefacts Dashboard will recognise this and show the threat_group is multiple sources (screenshots below shows it lists the names in blue) When Threat Matching queries run, duplicate events will be logged in threat_activity index, one for each threat_group that contains the object. NOTE: the "Threat Activity Detected" out of the box correlation search dedup's irrespective of weight, so you may want to sort by weight before dedup 🙂 ... View more