Create an anti-flooding policy
Anti-flooding policies limit the number of alerts to distribute in the event that the alert is triggered frequently over a short period of time. This is done to avoid inundating recipients with repeated notifications when an alert condition persists.
The default anti-flooding policy dictates that a single alert may be distributed to any recipient up to five times over the course of one hour and, if it persists, a reminder is sent after another hour passes. You can use this rule, called default AF, edit it, or you can create additional policies as needed:
- Go to Administration → Alert Configuration → Alert Policies.
- Select Anti-flooding Policy in the left-hand panel, then click New. The Anti-flooding Policy window appears.
Enter a Policy name that will allow you to easily identify the rule it contains. Then complete the remaining fields to build the rule that limits alert distribution over time.
- Click the Save button.
Once saved, you can assign the new policy to sending policies.
These policies limit the distribution of alerts via delivery methods. However, the Alerts Dashboard will always keep a record of every time the alert is triggered. You can also query the complete history of triggered alerts in the
siem.logtrust.alert.info data table.