Skip to main content

Hello All,

I'm working on setting up alerting rules in SecOps, and I’m encountering an issue where some alerts are critical but tend to trigger frequently, creating unnecessary noise in the alert stream.

I’m thinking of implementing a rule where, once an alert is triggered, subsequent alerts of the same type (or related) would be suppressed until a specified time window has passed. The goal is to avoid alert fatigue and ensure that we’re not overwhelmed with redundant notifications while still tracking important events.

Has anyone implemented a similar mechanism? If so, could you share some insights on how you went about this or any best practices you’d recommend? I’m particularly interested in solutions where the suppression is time-based (e.g., 30 minutes after an alert is triggered, suppress any similar alerts during that period).

Thanks,
Suraj Kadav

If your goal is to close/group alerts[1-10] after alert[0] triggers theres a few things you should try: 

  1. If it is a YARA-L Rule: you can add exclusions and group alerts in SIEM before it creates the SecOps Case: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#match_section_syntax
  2. You can define Rule/Alert Specific alert groupings in the SOAR settings with a time frame of up to 24 hours: https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-admin
  3.  You could add logic to your playbook so that one of the first steps is to search for similar alerts in the last x time then if it finds a match upon the criteria you define (same alert name, user/host/IP/file/etc.) then it will close out the new alert as a "duplicate" 

Those are the quicker solutions, a longer and more advanced solution would be to build some sort of suppression/automation system in SecOps using the available integrations from the marketplace and custom SOAR actions. 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.