If I mark an alert as ackowledged on Elastic SIEM, and the alert occurs again, it will notify me again or never more will display on open alerts?
Hey @Samara_Brych
You will still get alerts if the same event(s) that led to the alert happening the first time were to happen again.
Think of Alerts as your detection engine taking into account whatever rules you have in place and deciding if something should be an alert based on that. It does not care what you've done with past alerts ( in terms of changing them from open -> acknowledged or closed). It simply checks if a rule criteria is met for an event, and generates an alert.
(open | acknowledged | closed), also called kibana.workflow_status is to aid in your own triage, so you know what has been resolved, what hasn't or perhaps that it is in the process of being investigated.
That said, if you received an alert, and it should not have been an alert, and you no longer want that type of event to generate an alert you can either change the rule manually or add an exception to the rule:
3 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.