Hello guys!
Is it possible to configure a suppression to a SIEM's rule on ELK SIEM module?
For example, if 5 events to the same user.id and source.ip in 5 minuts, so will be trigged just 1 alert.
Yes, using the threshold rules you should be able to. Have you tried it out yet? You can set your threshold to be >= 1 with it and then your interval and look-back will help you out with how often it fires.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.