Looking for something pretty simple since I am relatively new to ePO management. I want to create an automated task that will move a system into a quarantine folder should it have 10 malware threat events in a 30 minute window. I am good with the filtering and actions tabs in my Automatic response but I am a bit confused on what to have in the Aggregation tab.
So 10 events for one system initiates my actions. The last time I tried setting this up it would end up putting multiple systems in quarantine during our monthly scan. So instead of it looking for any system with 10 or more threat events it would run the actions on say 10 systems with 1 threat event. Any good info on this and how you all have automatic responses set up or general best practices would be very helpful and much appreciated.