We have a rule setup to alert us when one of our PCI workstations agent goes offline. We set it up to only alert us if the agent has been offline for an hour, so we don't get false positives for maintenance reboots.
We have some users at remote (Home Office) locations that are always on VPN'n to our organization.
Over this past weekend one of those remote sites had a connectivity issue, and the line would go down and up about every 10 minutes.
This caused the alert to trigger an email about every 10 minutes, which our security chief got very upset about. What we need is to setup to only send the email once per set period. So if we set that period to an hour, if it goes down once or multiple times, only send one email.
Here is the rule as it is today:
The exclusions are for some test agents that we do not need this alert for.