I want to create a custom dashboard to display duplicate alerts within a 5-minute window, based on event type. For example, if the same event triggers an alert multiple times within 5 minutes, it should be visible on the dashboard.
Question
How to Display Duplicate Alerts Within a Short Time Window
+1
+7Can you expand on what problem you are facing or what you plan on doing with the output of the dashboard? There is a built in dedup function in the rules engine to prevent the same detection from triggering multiple times (note: rule version is included in the uniqueness evaluation, so making changes to the rule can result in a detection retriggering). There are also a number of detection use cases where a single event would be expected to trigger a detection multiple times (an event with multiple principal.ip addresses can legitimately trigger a detection that matches on principal.ip multiple times.)
This dashboard query will get you what I think you are asking for, but its usefulness is limited and may not be what you actually need to solve your use case. In this example I am using the rule_id as the uniqueness indicator for a rule, and event.metadata.id as the uniqueness indicator for an event.
detection.detection.rule_id = $ruleid
detection.collection_elements.references.event.metadata.id = $eid
$eid != b""
match: $ruleid,$eid over 5m
outcome:
$duplicate_detections = count_distinct(detection.id)
$rule_name = array_distinct(detection.detection.rule_name)
$detection_ids = array_distinct(detection.id)
condition: $duplicate_detections > 1
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.