I want to deploy rule for Mirai Botnet. Event Device Type is Customdns, Event.threat_Category is Malware and Event.threat_subtype is Mirai Aggregation is 2500 Events in 1 minute. but still I am getting many alerts. What to do to reduce the number of matches. Is there a way to supress alerts after first alert for certain duration to keep minimum false positives?