Unable to suppress duplicate alerts

KraLot · February 29, 2024, 9:34pm

I am trying to build a rule to detect login activity from multiple countries (min 2 unique) within last 8 hours for a user and when matched alert should generate in 5mins.

Run every: 5mins
Additional Look-back: 8 hours

However whenever query runs for every 5mins it is generating duplicate alerts since it is looking back for 8 hours. Is there a way to suppress the alerts/ grouping alerts based on user for the exact time of additional lookback. I tried all rule types and unable to achieve this. I am on ver8.11. Any ideas or suggestions?

vitaliidm · March 4, 2024, 11:02am

Hi, @KraLot. Welcome to the community!

Can you please give us more details on rule?

What rule type are you using? What the query is used in the rule?
What the rest of its configuration?
Exported rule Manage detection rules | Elastic Security Solution [8.11] | Elastic can be a good to start to look at its config for us.

Additional lookback time should not cause duplicated alerts, since they deduplicated within rule execution: Create a detection rule | Elastic Security Solution [8.11] | Elastic

We need to look closer into exported rule to understand why duplicate alerts appear. Before attaching any of rule config, please make sure, it does not contain any sensitive information

Suppression as per 8.11 is in Technical preview for Custom query rule type only and available in Platinum license: Suppress detection alerts | Elastic Security Solution [8.11] | Elastic

KraLot · March 5, 2024, 6:54pm

Rule config

{
    "name": "Logins activity from multiple countries",
    "interval": "5m",
    "meta": {
        "from": "8h",
    },
    "investigation_fields": {
        "field_names": [
            "geo.country_iso"
        ]
    },
    "from": "now-29100s",
    "max_signals": 100,
    "to": "now",
    "immutable": false,
    "type": "esql",
    "language": "esql",
    "query": "from logs-* |where event == \"LOGIN\" and user.id is not null| keep client.ip,geo.country_iso, user.id |  stats total = count(*), countries_list = count_distinct(geo.country_iso) by user.id | eval user = user.id| where countries_list >= 2",
}

vitaliidm · March 6, 2024, 12:55pm

Unfortunately, at this moment ES|QL rule does not support alert suppression.

But, I think using threshold rule type can help in your case

Here is a screenshot of configuration:

It will trigger alert for when for the same user.id there would 2 unique iso_country_code values.

Note, field names and index name are not the same as in ES|QL query example from the exported rule, so need to be changed to the actual ones.

More information on threshold rule can be found here: Create a detection rule | Elastic Security Solution [8.11] | Elastic

KraLot · March 7, 2024, 4:59pm

Thank you Vitalii, it worked via threshold.

system · April 4, 2024, 5:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.