I am trying to build a rule to detect login activity from multiple countries (min 2 unique) within last 8 hours for a user and when matched alert should generate in 5mins.
Run every: 5mins
Additional Look-back: 8 hours
However whenever query runs for every 5mins it is generating duplicate alerts since it is looking back for 8 hours. Is there a way to suppress the alerts/ grouping alerts based on user for the exact time of additional lookback. I tried all rule types and unable to achieve this. I am on ver8.11. Any ideas or suggestions?
We need to look closer into exported rule to understand why duplicate alerts appear. Before attaching any of rule config, please make sure, it does not contain any sensitive information
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.