Initial Alert Triggering:
When a rule is first triggered, the UTMStack correlation engine performs as expected, creating alerts in the threat management system. This is crucial for identifying new or ongoing security threats.
However, in my experience, I've noticed that the alerting behavior changes after the initial trigger. Specifically, the engine only creates alerts the first one or two times a rule is triggered for the same use case. Subsequent triggers do not generate new alerts in the threat management system. So, How actually it works?
Initial Alert Triggering: When a rule is first triggered, the UTMStack correlation engine performs as expected, creating alerts in the threat management system. This is crucial for identifying new or ongoing security threats.
However, in my experience, I've noticed that the alerting behavior changes after the initial trigger. Specifically, the engine only creates alerts the first one or two times a rule is triggered for the same use case. Subsequent triggers do not generate new alerts in the threat management system. So, How actually it works?