Hi all,
I have a Correlation Search that generates notable events ignoring the throttling configuration.
The search is "Excessive Logins Failed" and is set with the current parameters:
Cron schedule: */20 * * * *
Time range: from '-65m' to 'now'
Scheduling: continuous
Schedule Window: No Window
Scheduling priority: Default
Trigger condition: number of results > 0
Throttling window: 86400 seconds
Throttling fields to group by: src
The search is the following:
| tstats summariesonly=true allow_old_summaries=true dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel="Authentication"."Authentication" where Authentication.user!=*$ nodename="Authentication.Failed_Authentication" by "Authentication.app","Authentication.src"
| `drop_dm_object_name(Authentication)`
| replace "::ffff:*" with "*" in src
| where count>=500
Search runtime is very short (few seconds), so I'm sure there are no overlapping searches at the same time.
Nevertheless, I often find notable events generated for the same 'src' in the last 24 hours. I also have another Correlation Search (Brute Force Attacks detection) which have similar configuration/scheduling but in this case the throttling is working fine.
Can anyone help me with this? Anybody else having the same issue?
Thanks in advance
Now I'm experiencing the same issue for other correlation searches as well.
Is there anybody else having the same behavior?