Hi all, I have the following Correlation Search set up to detect accounts that have been excessively locked out during a short period of time. However, we get many repeat alerts even if the last lockout time is long past (probably because of how it is configured). Is there a way to stop the alerting once the lockouts stop? For example, an account has been locked out an excessive number of times (ie. 10 times); the first time this occurred is on 05/01/2021 at 09:34:03 and the last time is 05/01/2021 at 18:22:08, we would still get alerted days after the fact (ie. 05/05/2021). Correlation Search: Mode: Manual Search: index=wineventlog EventCode=4740 | stats count min(_time) as firstTime max(_time) as lastTime values(dest_nt_domain) as machines by user, signature | `ctime(firstTime)` | `ctime(lastTime)` | search count > 5 Time Range: Earliest Time: -7d Latest Time: -10m@m Cron Schedule: */15**** Scheduling: Continuous Schedule Window: Auto Schedule Priority: Default Trigger Conditions: Trigger alert when: Number of Results is greater than 0 Throttling: Window duration: 1 day(s) Fields to group by: user
... View more