What is a one sentence summary of your feature request?
Analyze Trigger Frequency with Masked Matched Items
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
The goal of this implementation is to enable event grouping based on a unique trigger identifier and to provide quantitative statistics on trigger activations over a defined time period.
The system should allow events to be aggregated in a way that clearly shows how many times a specific trigger (for example, Example_XXXX) was activated during a week or another selected time range, in the following format:
“Trigger Example_XXXX was activated 500 times over the last week.”
This capability will make it possible to identify the most frequently triggered (noisiest) elements without requiring access to the textual content of events, which is especially important in environments where log data is masked or access to raw logs is restricted.
Additionally, it is proposed to introduce a standard report or dashboard such as “Top Triggered Patterns”, which would display:
the trigger identifier;
the number of activations;
the selected time range,
presented purely in quantitative terms, without exposing event details or textual payloads.
Implementing this approach will improve monitoring efficiency, simplify rule tuning, and help security teams focus on the most problematic or overly active triggers while maintaining data privacy and compliance requirements.
How do you currently solve the challenges you have by not having this feature?
At the moment, this challenge is handled through manual analysis and indirect indicators. We rely on overall event volume trends, partial policy-level statistics, and manual sampling over time to estimate which triggers may be generating the most noise. However, this approach is imprecise, time-consuming, and does not provide reliable trigger-level visibility, which makes accurate policy tuning difficult and largely based on assumptions