How to avoid firing multiple alerts from a rule

I have a rule created to send out an email when an port scan is detected. The rule itself works but I'm having an issue when I'm testing it where it fires off tons of the same alerts. I have the "Set time when a rule won't trigger" enabled (see attached) but I must not be understanding how it works.

Parents
  • I had this same issue and opened a case with support. It seems that in order to make this work you have to have the event occur more than once. We couldn't get it to work any other way. If there isn't a workaround, it should be being opened as an enhancement request.

    Our specific use case we'd want to alert on the first event, then suppress for x minutes. We can't expect it'll happen more than once before we'd want notification, as there are some cases where we only get one, but others where it generates a flood that we'd want to suppress.

Reply
  • I had this same issue and opened a case with support. It seems that in order to make this work you have to have the event occur more than once. We couldn't get it to work any other way. If there isn't a workaround, it should be being opened as an enhancement request.

    Our specific use case we'd want to alert on the first event, then suppress for x minutes. We can't expect it'll happen more than once before we'd want notification, as there are some cases where we only get one, but others where it generates a flood that we'd want to suppress.

Children
No Data