Working a bunch with the Trackme app and it's showing a lot of promise. I finally got the right MLTK and Python applications installed, hopefully that will help some of the issues I'm having.
When I modify a data source, choosing "auto lagging" comes back with unexpected results. In particular, I have a data source that only ingests M-F, between 9am and 5pm. The auto percentile lag of this data source for 7-30 days at 1-3 seconds. How would I go about getting a longer average lag time for this source?
In addition, how can I tell trackme to not show an alert state on the same sourcetype on a monday morning, since it hasn't gotten any events since the friday before? I don't want to set the lag time as too high as that will interfere w/ monitoring during weekdays.