diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap
index f1f3e409217f8..a46533db938f3 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap
@@ -16,7 +16,7 @@ Object {
       },
       "topHits": Object {
         "top_hits": Object {
-          "size": 100,
+          "size": 1,
           "sort": Array [
             Object {
               "kibana.combined_timestamp": Object {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
index 88b2c4f450862..af0821de31146 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
@@ -31,7 +31,7 @@ export const buildGroupByFieldAggregation = ({
     aggs: {
       topHits: {
         top_hits: {
-          size: maxSignals,
+          size: 1,
           sort: [
             {
               [aggregatableTimestampField]: {