I’m new to the Security Analytics plugin and coming from a Microsoft Sentinel background. While testing the plugin, I had a question regarding detector/alert configuration:
-
Is there a lookback window option for detectors or alerts?
-
For example, I want to create a threat detection that should analyze the last 5 hours of logs and trigger an alert if any detection occurs.
-
I’ve already configured the alert to run every 10 minutes
So my questions are
- Suppose a detection finds multiple events—for example, 100 document-related events. I want all those events to be aggregated into a single alert when notifying via email or other alerting mechanisms. I do not want an alert for each individual event.
- For example, if I configure a detection for failed logons and it generates 1,000 events, I don’t want to receive 1,000 separate alerts.
- Is there a way to configure a lookback window, e.g., last 5 hours, for a detection?
- Is there aggregation support for alerts to combine multiple matched events into one alert?
- If lookback or aggregation is not supported, how does the plugin currently operate?
- Does it search the entire index for matching activity or only newly ingested documents since the last run?