• A large amount of hits are firing based on the abuse.ch Zeus watchlists
• Continuously on the same IP
• Generating a storm of alerts originating from a number of endpoints.

• EDR Console: All Versions
• EDR Hosted: All Versions

A large amount of hits are firing based on the abusech watchlists continuously on the same IP, generating a lot of alerts originating from a number of endpoints.

Running the query below in Process Search 
1. (alliance_score_abusech:*) 
This will show you all of the Abuse.ch hits from whatever time period is selected.

2. If there is a specific IP address that you do not care to see then modify the query with negation 
(alliance_score_abusech:* AND -ipaddr:NOISYIPHERE) 
Where this guidance falls short with some customers is that this IP addresses are updating and one week might need to negate one, whereas the next you would need a different one. The recommendation at that point would be not to build an endless chain of negated IPs (too much negation starts to impact performance) and to Ignore that Threat Report at the Feed Level. 

3. If you can find the right balance you can save the resulting query as a watchlist, and ensure you follow one of the final steps of tuning which is disabling the Alerts from the feed (and relying on the watchlist for your [hopefully more actionable] alert data.