Event filtering can be used to reduce the number of logged alerts for noisy rules by limiting the number of times a particular event is logged during a specified time interval. This can be tuned to significantly reduce false alarms.
There are 3 types of event filters:
Alerts on the 1st m events during the time interval, then ignores events for the rest of the time interval.
Alerts every m times we see this event during the time interval.
Alerts once per time interval after seeing m occurrences of the event, then ignores any additional events during the time interval.