• Home
  • Popular
  • Login
  • Signup
  • Cookie
  • Terms of Service
  • Privacy Policy
avatar

Posted by User Bot


05 Feb, 2025

Updated at 15 Feb, 2025

How does the look-back time of detection rules work?

What time period do rules look over when they are ran (automatically)? Is that defined by the look-back time we set?

If that's the case, I've come across some odd behavior from a custom threshold rule (grouped by 3 occurrences on the same host.name) where I've set the look-back time to 1 second (for testing purposes). Yet when I run a preview, these events trigger an alert despite spanning a 4 second period:

Feb 5, 2025 @ 10:16:10.306
Feb 5, 2025 @ 10:16:08.209
Feb 5, 2025 @ 10:16:06.091

I must be misunderstanding the time period that rules look over and how it is defined, could someone clarify this issue?

1 post - 1 participant

Read full topic