**Only some alerts are triggered during scheduled execution.**

Elastic Security
1

Below is the English translation:

In Kibana, we trigger alerts for logs imported from external sources using the rule below.
While manual execution detects all matching logs without any issue, scheduled execution fails to detect some of them.

Specifically,

  • During one time period, every matching log is alerted.
  • During another time period, none of the matching logs are alerted.

This situation suggests that some time-related factor may be involved.
If anyone has experienced a similar issue or has any ideas about possible causes and solutions, please share your insights.

[Rule Settings]

Rule Definition

  • Index Pattern: logs-xxx-default
  • EQL Query: any where threat.field1 == "1"
  • Rule Type: Event Correlation
  • Timeline Template: None

Scheduled Execution Interval

  • Execution Interval: 5m
  • Additional Lookback Time: 1m

If additional information is needed, I will provide it.
Thank you very much.

2

Hello @Kick

I am not sure but could you please review the section : [Handling multiple matches of the same document] from below URL which even has an example :

I believe you have this option turned on because of which the alerts are fired at once & post that the document might be duplicate because of which no new alerts are triggered.

If this is not the problem kindly confirm so that we can think of other issues which can be linked to this problem.

Thanks!!