Hi Expert,
Say our ESA condition :
ESA_SubAlert_1 : triggered at each event from App_rule_1
ESA_SubAlert_2 : triggered at each event from App_rule_2
ESA_SubAlert_3 : triggered at each event from App_rule_3
ESA_MainAlert : triggered if any of App_rule_1, App_rule_2, App_rule_3 have triggered more than 10 events by same source IP in 5 mins.
Is there anyway, which if MainAlert is triggered , then dont triggered the ESA_SubAlert ?
As currently, we are facing this :
In same 5 mins from same source IP,
a. App_rule_1 - trigger 12 events
b. App_rule_3 - trigger 5 events
Current result:
ESA_MainAlert will create 1 alert with 17 events.
ESA_SubAlert_1 will create 12 alerts.
ESA_SubAlert_3 will create 5 alerts.
Thank you.
