Hi,
Is it possible to mute/ ignore repeating alerts for a period of time?
For example, if a c2 beacon is detected, an alert does not need to be generated again if the signal is still open/ not closed.
In Alienvault, this is a "mute value":
Once an alarm is created, you can set the time that USM Anywhere will not create a new alarm based on the same conditions. This configured time is the mute value and you can specify it in seconds, minutes, and hours.
Elastalert has "realert"
realert: This option allows you to ignore repeating alerts for a period of time. If the rule uses a query_key, this option will be applied on a per key basis. All matches for a given rule, or for matches with the same query_key, will be ignored for the given time. All matches with a missing query_key will be grouped together using a value of _missing. This is applied to the time the alert is sent, not to the time of the event. It defaults to one minute, which means that if ElastAlert is run over a large time period which triggers many matches, only the first alert will be sent by default. If you want every alert, set realert to 0 minutes. (Optional, time, default 1 minute)
I believe, theoretically, that this can be achieved with a look-back time that exceeds time between scheduled runs, but this has not worked out in my tests. For example, a rule that runs every 5 minutes but with a look-back time of 4 hours.
Thanks!