I have a alert scheduled to monitor, if 2 different users who are accessing same device for authentication from okta and I'm monitoring it for 1 month.
Once the alert is triggered , the same users details should not trigger for next 1 month. Any suggestions how can I achieve this ? ( Can be in query / alert actions )
Below is sample query:
index=okta result=success NOT ( device=null)
| eval _time=strftime(_time)
| stats values (user ) as user dc(user) as "number of users per device" by device _time
| lookup XXX
| search "number of users per device">1
| regex device =myregx| rex field=user (myregex)
| where isnull(match)
| table fileds
| stats fields X y Z dc(_time) as detected by device
| where detected>=1
| sort _time
Alerts are automated. That is their nature. Configurations can be manual, but are a one-time action.
Remember that each time an alert runs it is independent of other runs (context-free). If you need context, other than what is provided by the throttling option, then you'll have to implement it yourself.
Triggering users/devices can be saved in a lookup file, KVStore, or (as @ITWhisperer suggested), a summary index. The alert would need to consult the saved list to see if a new alert should be triggered or not.
Throttling alerts will stop the alert from being triggered, however, it is at the alert level, that is, if the alert should be triggered for a different user, I doubt if this would fire if you had a throttle on the alert.
What you could do is collect the results of the alert in a summary index and check against the summary index if the alert has been triggered for the user(s) within the last month.
Throttling of alerts is not done using SPL. To enable throttling, edit the alert and check the "Throttle" box. Enter the time between alerts and click Save.