There are 2 methods for a Shun (Connection or Host) to be created: manual and automatic.

With a manual shun request, the user requests (through IDM or SecMon) for the sensor to shun a specific address (or connection) for a specific amount of time.

In this case the request is manual and there will not be an alert created. Instead there is a status message that the shun was requested.

With an automatic shun, the user configures the sensor to do an automatic shun (connection or host) when a specific signature is triggered.

If the signature is triggered then the user will see 2 messages created on the sensor. The first is the alert itself, and the second is the shun request that sensorApp generated (that the network access controller process also receives, it is the network access controller that executes the shun).

There are, however, a few caveats to this.

1) If the alert is filtered in the alarm-channel then then neither the alert nor the shun request will be generated and the host/connection will not be shunned.

2) If the alert is being Summarized, then only 1 shun request should be sent for the first alert, BUT there is a known bug on some signatures where the shun request is being sent for every alert within the summary period. So if the summary alert is a summery of 200 alerts, then you would have seen 200 actual shun requests. This is being corrected in a future version.