Reduce notifications and alerts
editReduce notifications and alerts
editElastic Security offers several features to help reduce the number of notifications and alerts generated by your detection rules. This table provides a general comparison of these features, with links for more details:
Stops a specific rule’s notification actions from running. Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its notification actions don’t run. |
|
Prevents all rules' notification actions from running. Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their notification actions don’t run. Maintenance windows are a Kibana feature, configured outside of the Elastic Security app in Stack Management. |
|
Reduces repeated or duplicate alerts created by a custom query rule. Use to reduce the number of alerts created by a custom query rule that matches multiple source events. Matching events are grouped by their values in a specified field, and only one alert is created for each group. |
|
Prevents a rule from creating alerts under specific conditions. Use to reduce false positive alerts by preventing trusted processes and network activity from generating unnecessary alerts. You can configure an exception to be used by a single rule or shared among multiple rules, but they typically don’t affect all rules. |