Skip to content

[Bug] Duplicate Alerts in ESQL Detection Rule with 24-Hour Look-Back Period and 5-Minute Interval #4250

New issue
New issue
Closed
Closed
[Bug] Duplicate Alerts in ESQL Detection Rule with 24-Hour Look-Back Period and 5-Minute Interval#4250
Labels
Team: TRADEbacklogbugSomething isn't workingcommunity
@jorgecastro2

Description

@jorgecastro2
jorgecastro2
opened on Nov 5, 2024

Describe the Bug

I created a new ESQL detection rule in Elastic Security to monitor successful logins from multiple countries within the last 24 hours. This rule runs every 5 minutes and requires a 24-hour look-back period due to its logic.

The issue is that the rule continuously generates duplicate alerts for the same documents (events) upon subsequent runs. For example, if documents 1 and 2 trigger an alert on the first run, the rule continues to alert on these same documents every 5 minutes, even though they have already been alerted on. Other detection rule types prevent duplicate alerts by keeping track of previously alerted documents, but this behavior seems inconsistent with ESQL detection rules.

Here is my exact ESQL query:

from logs-okta*  [metadata _id, _version, _index]
| where event.action == "user.session.start"
| where @timestamp > now() - 24 hours
| where enrich.vpn_ip == "false"
| where event.outcome == "success"
| where source.ip is not null
| stats distinct_countries_by_user = count_distinct(source.geo.country_name) by user.name
| where distinct_countries_by_user > 1
| sort distinct_countries_by_user desc
| eval kibana.alert.original_event.dataset = "okta.system"

To Reproduce

  1. Create an ESQL detection rule in Elastic Security that:
    • Monitors successful logins from multiple countries within the last 24 hours.
    • Runs every 5 minutes.
  2. Trigger the rule so that it generates an alert on certain documents (e.g., docs 1 and 2).
  3. Wait for the rule to run again after 5 minutes.
  4. Observe that the rule generates duplicate alerts for docs 1 and 2, even though they were already alerted on in the previous run.

Expected Behavior

The ESQL detection rule should ignore documents (events) that have already triggered an alert, similar to how other detection rule types operate. Only new qualifying documents should trigger additional alerts, preventing duplicate alerts on the same documents within the look-back period.

Screenshots

Image

Desktop - OS

macOS

Desktop - Version

Sonoma 14.6.1

Additional Context

Elastic Version: 8.13.4

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team: TRADEbacklogbugSomething isn't workingcommunity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions