[BUG] Issue with Timeframe and Aggregation Sigma Rule #1351
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the bug?
When creating an aggregation rule, multiple findings are being generated based on the entire dataset and not respecting the timeframe or even the detector schedule.
How can one reproduce the bug?
On the Security Analytics, Create the following detection rule - This is just a sample
`id: ZAWpiJIB1M3Z07tGJMhd
logsource:
product: os_windows
title: brute force same ip2
description: brute force same ip
tags:
falsepositives: []
level: high
status: experimental
references: []
author: GV
detection:
condition: selection1 | count (*) by source.ip > 4
selection1:
event.id:
timeframe: 15m
tags:
What is the expected behavior?
Whenever there are failed attempt (event.id 4625) by the same IP more than 4 times within 20 minutes, it should trigger the alert.
What is actually happening?
The rule is being triggered every time the detector runs because it is looking for all the documents in the index, and not only for 20 minutes or 5 minutes (current detector scan interval).
What is your host/environment?
Do you have any screenshots?
Multiple documents - Some of these documents are from 5 hours ago.
The text was updated successfully, but these errors were encountered: