This tuning is to change the from field to now-6m for rules that havenow-10m set and the interval left as default the 5m
This results in the potential for a single event to produce double alerts by being triggered within 2 seperate execution windows.
This happened in my stack with the follow event, note event.created is 22:40:30.433
It triggered 2 alerts at 2 separate detection times 22:45:30.463 and 22:50:33.497
The rule execution times that match with these detection times are shown below, the event.created stamp falls just within both of these 10m lookback windows
Issue
Summary
This tuning is to change the
fromfield tonow-6mfor rules that havenow-10mset and the interval left as default the 5m This results in the potential for a single event to produce double alerts by being triggered within 2 seperate execution windows.This happened in my stack with the follow event, note event.created is
22:40:30.433It triggered 2 alerts at 2 separate detection times
22:45:30.463and22:50:33.497The rule execution times that match with these detection times are shown below, the event.created stamp falls just within both of these
10mlookback windows