There are a few types of SIEM detection rules with their own execution logic, but in the most simple case (Custom Query rule type) the way a rule works is it searches over the source indices, matches every document with the "Custom query", and creates a detection alert document for every matched document from the source indices.
- in this example it searches over
auditbeat-* etc indices
- tries to find documents with
- for every document found during a rule execution it will create its own detection alert document
Every rule runs on a schedule. In general, the amount of documents indexed per each rule execution depends on it, because the schedule defines the length of the document scan interval, and thus the potential number of source documents matching the Custom query.
- the larger the sum of "runs every" and "additional look-back time", the more source documents will be scanned per rule execution, and the more alerts can be generated
- we have a de-duplication logic, but it's based on the source documents: the "additional look-back time" can lead to scanning the same source documents multiple times, so we make sure to generate only 1 alert per each source document
If you need to keep the same logic described above, but generate only a single alert per rule execution, you could instead create a Threshold rule. This rule type aggregates source documents before generating alerts.
- here it will search for the documents having the same
- group them by the
- and generate an alert if there's more than 1 document in each group (in our case there's only one group because we filtered by the concrete IP)
So the Threshold rule in the example above will generate at most 1 detection alert per execution. There are some caveats:
- alerts generated by several consecutive rule executions won't be deduplicated or "muted"
- if you have a complex query involving multiple fields, you will need to empty the "Group by" input and only set the "Threshold"
Let me know if this helps. And by the way if not, our team would be curious to learn about your use case in more detail: what rule type you're using with what parameters, what's missing and what features you'd expect to be present in the app.