Question
Ingest Incident and Delete Alerts
Hello guys,
We’re receiving incidents from FSIEM, but there are a large number of incidents in this environment; even though we’ve scheduled it to run every 15 minutes, when we retrieve the data, nearly all the incidents are pulled at once. What exactly is the logic behind this, and how can I resolve it? Additionally, since a large number of SIEM incidents are received in a short period of time, we do not want to include this in our playbook processes; is there a way to filter this data in SOAR?
Â
Thanks in advance