I have a Correlation Search that generates notable events ignoring the throttling configuration. The search is "Excessive Logins Failed" and is set with the current parameters:
Cron schedule: */20 * * * * Time range: from '-65m' to 'now' Scheduling: continuous Schedule Window: No Window Scheduling priority: Default Trigger condition: number of results > 0 Throttling window: 86400 seconds Throttling fields to group by: src
The search is the following:
| tstats summariesonly=true allow_old_summaries=true dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel="Authentication"."Authentication" where Authentication.user!=*$ nodename="Authentication.Failed_Authentication" by "Authentication.app","Authentication.src"
| replace "::ffff:*" with "*" in src
| where count>=500
Search runtime is very short (few seconds), so I'm sure there are no overlapping searches at the same time. Nevertheless, I often find notable events generated for the same 'src' in the last 24 hours. I also have another Correlation Search (Brute Force Attacks detection) which have similar configuration/scheduling but in this case the throttling is working fine.
Can anyone help me with this? Anybody else having the same issue?