Has anyone found a good way of modifying the prebuilt in event coloration rules Elastic Security to not produce too many alerts repeated alerts within a short time span? Similar to how Alert suppression works with custom query detection rules. For example I have the "Multiple Logon Failure from the same Source Address" rule produce 30 alerts from events that all occur within 2min. Just wondering if anyone has any work arounds for this?
Thanks
Hi @adub08, unfortunately we don't currently support alert suppression on Event Correlation rules, but we hope to add this functionality in the future. In the meantime, you could at least visually reduce the number of alerts displayed on the Alerts page by leveraging features like Alert Grouping.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.