Single behavior generates several alerts

Hello evry body,

I have a lot of alerts generated by a single behavior scan from the address IP x.x.x.x to the ip address Y (each time the rule is executed another alerts is created). Is there a way to have only one alert instead of multiple alerts for single behavior?

Best regards,

The only thing you could do is adjust your threshold, lookback, and interval. If you set your threshold to 5 it will only generate an alert once 5 matching events are generated in the amount of time you're looking back. It's not great, but that's all there is right now. Other SIEM have more advanced options, there was a recent post that discussed it: Reduce duplicate signals/ alerts

Unfortunately that post didn't get any input.

1 Like

Hello @frank_rib :wave:

There are a few types of SIEM detection rules with their own execution logic, but in the most simple case (Custom Query rule type) the way a rule works is it searches over the source indices, matches every document with the "Custom query", and creates a detection alert document for every matched document from the source indices.

  • in this example it searches over apm-*-transaction*, traces-apm*, auditbeat-* etc indices
  • tries to find documents with source.ip =
  • for every document found during a rule execution it will create its own detection alert document

Every rule runs on a schedule. In general, the amount of documents indexed per each rule execution depends on it, because the schedule defines the length of the document scan interval, and thus the potential number of source documents matching the Custom query.

  • the larger the sum of "runs every" and "additional look-back time", the more source documents will be scanned per rule execution, and the more alerts can be generated
  • we have a de-duplication logic, but it's based on the source documents: the "additional look-back time" can lead to scanning the same source documents multiple times, so we make sure to generate only 1 alert per each source document

If you need to keep the same logic described above, but generate only a single alert per rule execution, you could instead create a Threshold rule. This rule type aggregates source documents before generating alerts.

  • here it will search for the documents having the same source.ip =
  • group them by the source.ip field
  • and generate an alert if there's more than 1 document in each group (in our case there's only one group because we filtered by the concrete IP)

So the Threshold rule in the example above will generate at most 1 detection alert per execution. There are some caveats:

  • alerts generated by several consecutive rule executions won't be deduplicated or "muted"
  • if you have a complex query involving multiple fields, you will need to empty the "Group by" input and only set the "Threshold"

Let me know if this helps. And by the way if not, our team would be curious to learn about your use case in more detail: what rule type you're using with what parameters, what's missing and what features you'd expect to be present in the app.

@n2x4 thank you for pointing to this post. While there were discussions in Elastic around the concept of "muting" detection rules, I can't provide any specific info on that. I'll ping our PMs, hopefully they'd be able to provide some feedback.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.