Detection rules that only alert on the 1st detection of an event

kossde · December 3, 2021, 9:30pm

Apologies, but I am pretty new to the detection rules process. So any help is greatly appreciated!

I was wondering if anyone knew of a way that I could create a detection rule that only alerts the first time an event occurs within a specified timeframe? We need to see the 1st instance of an event but not be notified of every (if any) event that occurs afterwards within a set timeframe.

I realize that I can create actions that only happen once every hour, etc, but I specifically need this to only happen every 3 hours.

Also, is there a way to create a query that alerts only when the number of events is LESS than a specified number? Think Threshold detections but reversed: If such and such event occurs exactly 1 time within the last 5 minutes, perform action. Otherwise, don't.

jamesspi · December 7, 2021, 3:48pm

Hey @kossde,

Unfortunately, both these asks aren't possible right now within the detection engine itself.

That being said - for the second question, you may want to look into transforms. Transforms will allow you to pre-aggregate data into a new index. You can then just use a traditional KQL query on the new index like event.count < x.

Let me know if you had any other questions on the topic.

James

system · January 4, 2022, 3:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.