Kieran Anson
Kilo Patron

Hi,

Your correlation rule doesn't currently filter on the em_alert table fully, so it won't necessarily capture the records you're wanting. Do the secondary alerts you have identified have some commonality with the primary? e.g does the additional_info field contain a key:value that could be used to identify the other alert records?