A feature that has been wanted for an extremely long time (in my opinion) is finally here. Something that gives alerting a step up when it comes to analysis and refinement of identification of threats.
New features give the ability for an alert to contain up to 500 entities collectively can be identified in a single alert, divided equally across all entity mappings defined in the rule.
Multiple mappings of a single entity type (say, source IP and destination IP) each count separately.
If an alert contains items in excess of this limit, those excess items will not be recognized and extracted as entities.
To read up more about this, see the below links;
Comments