How does the look-back time of detection rules work?

What time period do rules look over when they are ran (automatically)? Is that defined by the look-back time we set?

If that's the case, I've come across some odd behavior from a custom threshold rule (grouped by 3 occurrences on the same host.name) where I've set the look-back time to 1 second (for testing purposes). Yet when I run a preview, these events trigger an alert despite spanning a 4 second period:

Feb 5, 2025 @ 10:16:10.306
Feb 5, 2025 @ 10:16:08.209
Feb 5, 2025 @ 10:16:06.091

I must be misunderstanding the time period that rules look over and how it is defined, could someone clarify this issue?

Hi @pok_lehbim, when a rule runs it queries the time period between now - (interval + look-back) and now.

We can refer to the docs where it's explained in different words:

For example, if you set a rule to run every 5 minutes with an additional look-back time of 1 minute, the rule runs every 5 minutes but analyzes the documents added to indices during the last 6 minutes.

It is recommended to set the Additional look-back time to at least 1 minute. This ensures there are no missing alerts when a rule does not run exactly at its scheduled time.

Hope this helps!

1 Like