09-21-2023 12:38 AM
Hi community,
is there anybody who knows how External Alert mapping rules work in a case there is more than one of them?
Do you create an alert for every rule that was hit or is there some kind of precedence?
There is no mention in documentation.
Thank you,
Jan
09-21-2023 03:16 AM
Hello,
XDR console will automatically aggregate repeating alert, the period of time is 24 hours. Console will consider an alert as repeating if it has exact same fields.
09-21-2023 03:22 AM
Hello Aspatil,
you're right, but what is not clear to me is when are alerts created when you have multiple rules.
- Are they evaluated from top to botom like in the firewall, or are all of them evaluated at the same time?
- If they are evaluated at the same time (and based on filtering both of them are hit), are multiple alerts created?
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
