I have not utilized throttling before and wanted to try it out on an event I know is happening all the time. The purpose of doing this is I have another alert I want to make for when a host is infected 10 times within a 24 hour period of time and want to make sure I'm doing it correctly because that alert probably (hopefully) will never fire.
product=windows name"An account was successfully logged on" user=Administrator earliest=-1h | transaction Workstation_Name | search eventcount >10 | table Workstation_Name, user
I have this alert scheduled for every hour at 45 on the hour and to fire when the number of results is greater than 0 on every result. I clicked throttle and suppressed the Workstation_Name field for 2 hours but the alert fires every hour still? This seems straight forward but I'm obviously doing something wrong. Mind you this event fires around 4 thousand times an hour.
As I am writing this the only thing I foresee being an issue outside of getting the actual throttle to work is defining the time within a specific days 24 hour period of time. 00:00:00 to 23:59:59. Will I need to do that within the search itself if so how?