added note on the volume of actions for rules

olajio · Jun 23, 2020 · 428c5c7 · 428c5c7
1 parent 494dc31
commit 428c5c7
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/Security Analytics/ACSC2020-008_IOCs/README.md b/Security Analytics/ACSC2020-008_IOCs/README.md
@@ -13,4 +13,6 @@ IOCs often change rapidly during campaigns and should not solely be relied upon
 * Review the field names used within the rules. The rules currently reference default ECS fields, but your field names may vary internally
 * Activate rules as required
 
+Note that the SIEM rules currently run every 60 minutes, looking back at events from the last 60 minutes. The rules currently do not run actions for every execution. If you need to act on detections, it would be a good idea to set the frequency to `Hourly` rather than on each rule execution, to reduce the amount of noise created.
+
 [Here is a full blog post](https/elastic.co/blog) on the campaign and Elastic Security.