You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Per conversation with Da Beave, we should have a "track by none" option so that a single rule could be set to fire an alert after X amount of instances, regardless of the log source. For example:
In a ransomware event we might see multiple policy changes across an environment and so we would want to track by the event itself across an entire network rather than a single Domain Controller.
The text was updated successfully, but these errors were encountered:
Per conversation with Da Beave, we should have a "track by none" option so that a single rule could be set to fire an alert after X amount of instances, regardless of the log source. For example:
In a ransomware event we might see multiple policy changes across an environment and so we would want to track by the event itself across an entire network rather than a single Domain Controller.
The text was updated successfully, but these errors were encountered: