Hi @leon3, welcome to our community!
We're glad you are trying out the Elastic Security solution, and hopefully we can get to the bottom of your rule questions and get your detections running smoothly.
Please allow me to start with a very basic question, how are you determining that the rule is not triggering?
If you are able to share your rule with us (be sure to mask out any confidential information), that could help us spot anything that might be contributing to your issue.
Also, please let us know a little bit about your environment:
- What version of the Elastic Stack you are running in Elastic Cloud?
- How are you sending your data into Elastic Cloud?
- Is your data represented in an ECS-compliant format?
Meanwhile, here are some monitoring and troubleshooting tips for when you are missing alerts.
One thing to keep in mind is that the "Quick query preview" function during rule creation excludes the effects of rule exceptions and timestamp overrides. So if your rule has either of these applied, that could lead to a difference in behavior between the preview query and the rule execution.
Another idea: You mention a "triggering action" for the rule. Be sure to check out your rule Actions frequency settings. If you select one of the settings below, you will only get the notification one time per (hour/day/week).