Manage Trigger Sensitivity
Throttling is used to restrict a task from being executed if a task is triggered by a frequently occurring event. Under certain circumstances, throttling may prevent a trigger from being fired. If any of the defined conditions are met, stacked information for all observers is reset (the count starts over from 0). This information is also reset if the Agent or ERA Server are restarted. All modifications made to a trigger reset its status.
Time-based throttling conditions take precedence over statistical conditions. We recommend that you only use one statistical condition and multiple time-based conditions. Multiple statistical conditions can be an unnecessary complication, and can alter trigger results.
The Statistical conditions can be combined either using the AND logical operator (all conditions must be fulfilled) or with the OR logical operator (the first condition fulfilled triggers the action).
•Time based conditions
All of the configured conditions must be fulfilled in order to trigger an event. The throttling criteria are focused on the time when the event occurred.
•Number of ticks to aggregate - Number of ticks (how many times the trigger is hit) needed to activate the trigger. The trigger is prevented from activating until this number is reached. For example, with this set to 100, if 100 threats are detected you won't receive 100 notifications, just one notification containing 100 threats. If 200 threats are detected, only the last 100 threats will be included in the notification.
Time based criteria
•Aggregate invocations during time period - You can allow a hit once every X seconds. If you set this option to 10 seconds and during this time 10 invocations occur, only 1 will be counted.
•Time ranges - Allow ticks only within the defined time period. You can add multiple time ranges to the list, they will be sorted chronologically.
•Statistical criteria application - This option defines the method by which the statistical criteria will be evaluated. Either all of them need to be met (AND), or at least one (OR).
•Triggered every No of occurrences - Allow only every X tick (hit). For example, if you enter 10, only each 10th tick will be counted.
•No of occurrences within a time period - Allow only tick(s) within the defined time period. This will define the frequency. For example, allow the execution of the task if the event is detected 10x in an hour.
o Time period - Define the time period for the option described above.
•Number of events with symbol - Record a tick(hit) if X events with the specific symbol are provided. For example, if you enter 10, a tick will be counted for every 10th installation of a certain application.
o Applies when number of events - Enter a number of events in a row after the last tick to count another tick. For example, enter 10 and a tick will be counted after 10 events from the last tick.
•Applies when number of events - The trigger is applied when the ticks are either Received in a Row (trigger execution is not taken into account), or Received Since Last Trigger Execution (when the trigger is executed, the number is reset to 0).