Skip to main content

Hi folks,

When one sets up an alert, all the rows matching the search are sent to the alert. I have a use case where it is counterproductive to be able to track SLA and customers impacted. Basically, we’re concentrating all EDR alerts from many platform in one repo and want to trigger an incident by event.

I fear the limit parameter will hide other events. And playing with both limit and time range seems not deterministic.

Does anyone know how I could achieve 1 incident by row returned in the alert search?

Thanks

Be the first to reply!

Reply