Hi,
so I'm trying to implement alerting when users are accessing files from a folder and as you know this can generate a lot of alerts. I'm trying to see if I can use state variables or user defined groups to use as a flag to limit the number of emails sent.
The kind of result I'm looking for:
1. Get an email on the initial access.
2. Not get additional emails until some time passes, or until the number of access event don't reach a certain count...
Wondering if any of you have had any success putting something like that in place. Trying to use the Correlation Time section in the rule doesn't really give the desired results.
Thanks!