Hello Team,
I am seeing a discrepancy with the stats search.
When I run a normal search for EPP high alerts during the specified time range, I get 31 results. However, when I convert the same logic into a stats search with a match window, the result count increases significantly.
I expected the count to be equal to or lower than 31, since the match window should group matching alerts within the defined time period. Instead, I am seeing more than 400 results, which is around 15 times higher than the original event count.
and when it is run on rules i am getting 23 detections
Could you please help confirm why the stats-based query is inflating the results and whether the match/window logic is causing duplicate or expanded matches?
