topic Re: Throttle not working as intended in Alerting

Throttle not working as intended

Hegemon76 — Wed, 30 Sep 2020 01:49:48 GMT

Hello,

I have not utilized throttling before and wanted to try it out on an event I know is happening all the time. The purpose of doing this is I have another alert I want to make for when a host is infected 10 times within a 24 hour period of time and want to make sure I'm doing it correctly because that alert probably (hopefully) will never fire.

product=windows name"An account was successfully logged on" user=Administrator earliest=-1h | transaction Workstation_Name | search eventcount >10 | table Workstation_Name, user

I have this alert scheduled for every hour at 45 on the hour and to fire when the number of results is greater than 0 on every result. I clicked throttle and suppressed the Workstation_Name field for 2 hours but the alert fires every hour still? This seems straight forward but I'm obviously doing something wrong. Mind you this event fires around 4 thousand times an hour.

As I am writing this the only thing I foresee being an issue outside of getting the actual throttle to work is defining the time within a specific days 24 hour period of time. 00:00:00 to 23:59:59. Will I need to do that within the search itself if so how?

Thank you for the help.

Re: Throttle not working as intended

Sukisen1981 — Mon, 19 Aug 2019 19:02:40 GMT

hmm try this and see

scroll down to 'Action Options' sections (which has throttle checkbox), and change the "When triggered, execute actions" from 'For each result' to 'Once'.

Re: Throttle not working as intended

Hegemon76 — Mon, 19 Aug 2019 19:05:51 GMT

I'm wondering though if I set it to once.

Lets says workstations A, B and C all get infections within 24 hours. Does it fire per station or just fire once and then stop because the condition was met?

Re: Throttle not working as intended

Hegemon76 — Mon, 19 Aug 2019 19:27:09 GMT

It still triggered and by switching that box to once you can't throttle on specific fields.