What do you have "Behavior" set to? "Only on first trigger" or "all triggers"? Does the latter cause it to fire an alert for every instance of a vuln in the way you want?
As for the Trigger differences
- IP Count – Trigger on vulnerabilities or events whose IP count matches the given parameters.
- Unique Vulnerability/Event Count – Trigger an alert when the vulnerability/event count matches the given parameters. This option is set to “Unique Vulnerability Count” for vulnerability alerts and “Event Count” for event alerts.
You would want to use the Unique Vuln/Event Count in your case, I believe.
So currently I have the alert set as follows,
Behavior = Perform action on every trigger
Type = Vulnerability
Trigger = Unique Vulnerability Count < 20
Asset = Workstations
Repository = Set to our workstation repositories
Severity = Critical, High
Vulnerability Discovered = More than 180 Days ago
the alert is set to send an email to my address.
Currently the alert is only triggering if I add a plugin setting to the filter and put in the plugin IDs that I want it to trigger on. If I don't specify a plugin ID or multiple plugin IDs the alert does not trigger. If I specify multiple plugin IDs I get one alert notifying me of all the vulnerabilities. I would rather not have a specify a plugin ID as that would pretty much remove the automation from the process as I would have to be constantly adjusting the Plugin IDs on the alert in order for it to launch an individual alert for each plugin that meets the criteria.
I do have the alert filtered on the plugin type being Active. It does seem that for the alerts to work the way that we want them to I would have to manually create an alert for each plugin (or create a single alert and modify the plugin ID). The problem I run into with this is that if I am supposed to be creating an alert that matches the criteria for what we want support tickets created for I would be creating a couple hundred alerts. It would be nice if there was some way for the alert to function almost like an iterator in the reports but clearly that function does not exist and I doubt it would be feasible to have implemented.