Note:
Rule thresholds are deprecated and will not be supported in a future release.
Use detection_filters (3.7.10) within rules, or
event_filters (2.4.2) as standalone configurations
instead.
threshold can be included as part of a rule, or you can use standalone thresholds that reference the generator and SID they are applied to. There is no functional difference between adding a threshold to a rule, or using a standalone threshold applied to the same rule. There is a logical difference. Some rules may only make sense with a threshold. These should incorporate the threshold into the rule. For instance, a rule for detecting a too many login password attempts may require more than 5 attempts. This can be done using the `limit' type of threshold. It makes sense that the threshold feature is an integral part of this rule.