Jjan

Without knowing the entire scope of your rule, I can’t give you a total answer, but based on what you are describing, I have a few ideas.

When we join events we need a match section which will gather all events that match our criteria in the events section and group it by the time window specified in the match section. However, if I have a 15 minute match window for instance, i could have e1 and e2 happening at min 2 and min 13 of that window, if both have one and then the other within that time frame those will all end up in that same detection which doesn’t seem ideal.

For this specific case, you could set your match window to 1minute and then do something like this $fail.metadata.event_timestamp.seconds < $success.metadata.event_timestamp.seconds or whatever the event variables are making sure the one that comes first is less than the other based on what i laid out.

There is also a sliding window option but that one can be tricky using before/after depending on the number of events and how long the window needs to stay open. There are potentially some other ways to handle this too that I haven’t fully formed out but based on the ask, this is what I would do to address it.