    Organizing emails triggered by rules


      Hey guys,


      I've been having a great deal of luck by having email notifications sent to a shared email folder whenever an important event happens.


      A problem I'm having now is that this folder is swamped with emails! Is there a way to consolidate these individual events into one email sent on an hourly basis? So for example, every event generated when an admin fails a logon within an hour is appended to one email.


      Is anyone having the same issue as me? If so, do you have a work around that works for you?




          I would create a report for those events and email out hourly. 
          Theoretically, alerts would be acted on and reports are informational.

            The LEM does not have a native "digest" function to aggregate messages into hourly/daily packages.  I agree with njoylif: If your rules are firing that many e-mails, you need better rules.  A rule being triggered should be a call to action, and too many "calls to action" means the LEM is crying wolf a lot and it'll get easy to ignore the messages.  Something you might consider is using the "Infer Alert" action in rules.  This allows you to take some number of events and create your own event out of it, with custom information in any field (I like to put company names in the ProviderSID or ToolAlias field).  Then you make an alerting rule for "If I see 10 events from ToolAlias = MyCompany, send an e-mail."  It's sort of an event "gear reduction" to manage alerts.


            Also, you can run reports on Inferred Alerts or on your custom data values to get your digest.  If you create that search in nDepth and set it to run on a schedule and e-mail out, it could emulate the behavior you're after.