The message rate limiting is applied to per policy within the policy group, so users do not get overwhelmed (i.e. to prevent thousands of messages from appearing on screen).

For example, if a rate limit of 1 minute is set, no more than 1 message will be displayed per minute, per policy. It should be noted that although the number of display pop-up messages can be suppressed, the number of sensors will not be suppressed.

Rate Limiting Defaults:

If rate limiting is enabled but nothing is set (shown in the screenshot below), the default rate limiting time for most policies is 1 minute.

Rate Limiting Lower Limit (For most policies):

The lower limit for rate limiting for most policies is 1 minute. Although it is possible to set the rate limit time to less than a minute (shown in the screenshot below), the actual rate limit time will still be reverted to 1 minute.

Rate Limiting Lower Limit Exceptions:

Some policies do not have lower limits for rate limiting. This means it is possible to display multiple messages in 1 minute. Here is a list of policies that do not have lower limits:

1. The sensitive file was downloaded.
2. The sensitive file was uploaded.
3. The Sensitive file was downloaded from a personal file share website.
4. The Sensitive file was uploaded to a personal file share website.
5. ETW event detected.
6. A new user typed on the node.
7. An unauthorized keyboard shortcut was used.
8. Unauthorized keyword typed.

Example:

To illustrate it with the following screenshot, any re-violated policy within the default 1-minute rate limiting will be suppressed to display the message. See the sample triggered incident breakdown, the 2nd (11:26:47 AM) and 3rd (11:27:15 AM) events will have their display message suppressed as both events are triggered within 1 minute from the 1st event (11:26:21 AM). For the 4th (11:28:03 AM) will have it message display again after the default 1-minute rate limit is lapsed.