An analyst is investigating a user's activities and sees that they have repeatedly executed an action which triggers a rule that emails the SOC team and creates an Offense, indexed on Username.
The SOC team complained that they have received 15 emails in the space of 10 minutes, but the analyst can only see one Offense in the Offenses tab.
How is this explained?
A. There is a Rule Limiter on the Rule Action which creates the Offense, this should also be applied to the Rule Responses.
B. This is expected behavior, the offense will contain the information about all 15 events.
C. An Offense rule has been configured to send multiple emails upon Offense creation.
D. The Custom Rules Engine (CRE) has fallen behind and the additional Offenses will be created shortly.