Hello guys,
I have multiple alerts and events definitions. The problem is that , same alert is triggered multiple times. I want to receive just 1 alerts instead of multiples, for same issue. Please check the picture below :
Adjust the time window for the event or use aggregation to reduce repetition.
If this is just a filter event (not an aggregation) in 5.2.2 you can limit how many events are created.
Hello,
I tested that limit and it has some issues.
For example, if i set it to 10 alerts. After 10 alerts it will send me an event notification (which i want to disable if possible ) and then the event notification stops.
I just need to find a way for it to not send same alert multiple times.
Aggregation is not a solution, because maybe the alert it will be triggered only once.
What are you actually trying to find in the event? Aggregations may actually work, but it depends on what you kind of filter you are trying to create.
You could set a grace period in Notifications to suppress the other alerts.
@Joel_Duffield i am using virustotal to check if the destinations ip’s are malicious or not, and then block them. The problem is that my firewall is letting the connections and i am seeing several alerts triggered within seconds, for sale IP, please check the picture below.
My goal is to set the event to trigger just 1 alert if a malicious ip is found.
@Arie you idea works, because i am also using Slark to receive the notification and that will suppress it. But, it will also suppress the number of alerts that will appear in Graylog? I am testing it now.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.