Only Fire Incident When Matching Multiple Rules in Policy?
I have a policy that contains a number of detection rules. This is working fine, but we would really like it to trigger an incident only if more than one of the rules is matched (for example, in a single email).
Is there a way to do this? My rules list inside the policy shows "or" in between each rule, and I can see no way to change this.
Ideally, we would set it to trigger an incident only if two or more of the six rules inside the policy are matched.
Thanks for any advice!