If a rule is configured to group by entity (and not by hit), it is possible that hundred of hits can generate as few as 1 alert.
The alerts are generated by grouping alert hits by entity ONLY, and NOT by a combination of rule and entity. As such, its possible that two rules can create a single alert!
DEFINITION: 1 alert hit == 1+ transaction(s) flagged by a rule
Each scheduled execution will generate at most 1000 alert hits, which then get grouped into a possibly smaller number of alerts.
This means that while you may get a alert hit limit warning, you may only have generated a few alerts (see next section).
If a rule generates more than 1000 alert hits in an execution, the following will happen:
- The rule stops executing
- U21 notifies your organization by email about the rule reaching its alert hit limit.
Although that specific rule executions stops, the rule will continue to run at its scheduled execution time.
You don't need to do anything. The rule will continue to run at its scheduled time, and you can review the alerts generated by that specific rule.
However, if a rule reaches its alert hit limit, it very often contains logic that is overly broad. Unit21 recommends duplicating the rule and refining the queries to get under the rate limit and reduce your alerts' signal-to-noise ratio.
In rare cases, an organization really does need to execute a rule that will send over 1000 alert hits. In those cases, please contact your Unit21 representative.
Updated about 2 months ago