Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Duplicate Alerts in ESQL Detection Rule with 24-Hour Look-Back Period and 5-Minute Interval #4250

Open
jorgecastro2 opened this issue Nov 5, 2024 · 0 comments
Open

[Bug] Duplicate Alerts in ESQL Detection Rule with 24-Hour Look-Back Period and 5-Minute Interval #4250

jorgecastro2 opened this issue Nov 5, 2024 · 0 comments
Labels
bug Something isn't working community Team: TRADE

Comments

@jorgecastro2
Copy link

Describe the Bug

I created a new ESQL detection rule in Elastic Security to monitor successful logins from multiple countries within the last 24 hours. This rule runs every 5 minutes and requires a 24-hour look-back period due to its logic.

The issue is that the rule continuously generates duplicate alerts for the same documents (events) upon subsequent runs. For example, if documents 1 and 2 trigger an alert on the first run, the rule continues to alert on these same documents every 5 minutes, even though they have already been alerted on. Other detection rule types prevent duplicate alerts by keeping track of previously alerted documents, but this behavior seems inconsistent with ESQL detection rules.

Here is my exact ESQL query:

from logs-okta*  [metadata _id, _version, _index]
| where event.action == "user.session.start"
| where @timestamp > now() - 24 hours
| where enrich.vpn_ip == "false"
| where event.outcome == "success"
| where source.ip is not null
| stats distinct_countries_by_user = count_distinct(source.geo.country_name) by user.name
| where distinct_countries_by_user > 1
| sort distinct_countries_by_user desc
| eval kibana.alert.original_event.dataset = "okta.system"

To Reproduce

  1. Create an ESQL detection rule in Elastic Security that:
    • Monitors successful logins from multiple countries within the last 24 hours.
    • Runs every 5 minutes.
  2. Trigger the rule so that it generates an alert on certain documents (e.g., docs 1 and 2).
  3. Wait for the rule to run again after 5 minutes.
  4. Observe that the rule generates duplicate alerts for docs 1 and 2, even though they were already alerted on in the previous run.

Expected Behavior

The ESQL detection rule should ignore documents (events) that have already triggered an alert, similar to how other detection rule types operate. Only new qualifying documents should trigger additional alerts, preventing duplicate alerts on the same documents within the look-back period.

Screenshots

Image

Desktop - OS

macOS

Desktop - Version

Sonoma 14.6.1

Additional Context

Elastic Version: 8.13.4
@jorgecastro2 jorgecastro2 added bug Something isn't working Team: TRADE labels Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jorgecastro2