Alert expiry #965
Comments
|
@ag-michael If you don't mind, can you share what your use case is for deleting alerts automatically based on a retention period? Wouldn't that mean you're essentially ignoring and deleting alerts notifying of possible attacks? |
|
@veeral-patel Correct. it's aging out of alerts, essentially implicit ignoring of alerts. If an alert source generates hundreds or thousands of alerts, I can't dedicate man hours to manually go through them all and ignore them one by one. EDIT: I can throttle and control this externally, but regardless of that if an alert has not been imported into a case after some time, I don't want it lingering on. Especailly considering some alerts can be fairly sizable and cause performance issues if you have too many of them indexed. |
|
@ag-michael so I guess what you're saying is, if you have thousands of low-severity alerts, you're just not going to get through them all. So instead of keeping them and around and hoping you'll get to them, it's better to just discard them. That makes sense. Just curious - what are these thousands of alerts you're getting, at a high level? |
Feature Request
Work Environment
Problem Description
It is getting increasingly difficult to manage alerts using the API, simply due to erratic variations in volume.
I could further tune scripts I've built around the API, but I thought it would be more intuitive if there was an alert retention strategy setting in thehive, where alerts are removed by age, volume or other criteria.
It would also be great if there was a way to immediately permanenty delete alerts.
The text was updated successfully, but these errors were encountered: