Hi all,
What factors are related to the number of alerts? How is it calculated?
As shown by the red box in the picture.
I'm a little confused about the relationship between the number of violations(in alert pane) and the number of aggregated violations in the aggregated alert details pane(A and B), as shown below.
I founded that, A and B are equal when A is less than or equal to 500. According to the "Web Application Firewall User Guide", in the section "Understanding Aggregated Alerts","
Note: Up to 500 unique/distinct security events can be aggregated into a single alert." I think, It may be related to the mechanism of aggregation.
Sometimes, I founded that, when B is 20,000, A is still 1000。I don't know how to explain it anymore。Hope someone can help explain it
Note: The picture comes from the screenshot of the implementation environment.#On-PremisesWAF(formerlySecuresphere)------------------------------
----------------------------------------
WAF operations engineer
Bruce Zhang
----------------------------------------
------------------------------