I have a delicate problem in the alert part of elastic security, first I am receiving logs from a security source, and I created a detection rule to alert every time such an event arrives, the rule works perfectly, it is able to detect all events , but in the alert part, it is not alerting all detections, for example I had 31 detections but only 8 were alerted, I am using the webhook to send these alerts. Can anyone help me with this? the action is defined in "each rule execution", and the schedule is every 1 minute with a 5-minute look-back.
Hi @RaonyO, I think what you're experiencing is similar to what I explained in your other post.
The current behavior of rule actions is that a single action (i.e. slack, webhook, etc) will be triggered for all the alerts generated during the "action frequency" timeframe (i.e. on each rule execution, hourly, etc) If, for example, you selected "on each rule execution" for action frequency and the rule executes and generates 10 alerts in that rule execution, then a single rule action will be triggered and will contain 10 alerts in the context.
In future releases, we're looking into adding additional flexibility to rule actions and giving users the option to trigger one action per alert generated. Hope this helps!
I understand, unfortunately this function doesn't exist yet :/, I'm waiting for a trigger that fires with each generated alert, as it will be extremely useful! for now as a remedy I'm using elastalert2
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.