Unable to suppress duplicate alerts

KraLot · February 29, 2024, 9:34pm

I am trying to build a rule to detect login activity from multiple countries (min 2 unique) within last 8 hours for a user and when matched alert should generate in 5mins.

Run every: 5mins
Additional Look-back: 8 hours

However whenever query runs for every 5mins it is generating duplicate alerts since it is looking back for 8 hours. Is there a way to suppress the alerts/ grouping alerts based on user for the exact time of additional lookback. I tried all rule types and unable to achieve this. I am on ver8.11. Any ideas or suggestions?

vitaliidm · March 4, 2024, 11:02am

Hi, @KraLot. Welcome to the community!

Can you please give us more details on rule?

What rule type are you using? What the query is used in the rule?
What the rest of its configuration?
Exported rule Manage detection rules | Elastic Security Solution [8.11] | Elastic can be a good to start to look at its config for us.

Additional lookback time should not cause duplicated alerts, since they deduplicated within rule execution: Create a detection rule | Elastic Security Solution [8.11] | Elastic

We need to look closer into exported rule to understand why duplicate alerts appear. Before attaching any of rule config, please make sure, it does not contain any sensitive information

Suppression as per 8.11 is in Technical preview for Custom query rule type only and available in Platinum license: Suppress detection alerts | Elastic Security Solution [8.11] | Elastic

KraLot · March 5, 2024, 6:54pm

Rule config

{
    "name": "Logins activity from multiple countries",
    "interval": "5m",
    "meta": {
        "from": "8h",
    },
    "investigation_fields": {
        "field_names": [
            "geo.country_iso"
        ]
    },
    "from": "now-29100s",
    "max_signals": 100,
    "to": "now",
    "immutable": false,
    "type": "esql",
    "language": "esql",
    "query": "from logs-* |where event == \"LOGIN\" and user.id is not null| keep client.ip,geo.country_iso, user.id |  stats total = count(*), countries_list = count_distinct(geo.country_iso) by user.id | eval user = user.id| where countries_list >= 2",
}

vitaliidm · March 6, 2024, 12:55pm

Unfortunately, at this moment ES|QL rule does not support alert suppression.

But, I think using threshold rule type can help in your case

Here is a screenshot of configuration:

It will trigger alert for when for the same user.id there would 2 unique iso_country_code values.

Note, field names and index name are not the same as in ES|QL query example from the exported rule, so need to be changed to the actual ones.

More information on threshold rule can be found here: Create a detection rule | Elastic Security Solution [8.11] | Elastic

KraLot · March 7, 2024, 4:59pm

Thank you Vitalii, it worked via threshold.

system · April 4, 2024, 5:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Security Alert ：How to suppress repeat alarms Elastic Security	2	427	March 15, 2023
Alert Suppression on Event Correlation Rule (duplicate alerts) Elastic Security detection-rules	2	462	August 21, 2023
1 alert for all detections & suppress repeat detections Elastic Security	4	633	November 4, 2022
SIEM custom rule to generate an alert if multiple users attempts with same source IP or same mac address Elastic Security elastic-stack-alerting	3	809	December 30, 2021
Group identical alerts in Elastic Security [7.14.2] Elastic Security detection-rules	1	411	December 2, 2021

Unable to suppress duplicate alerts

Related Topics