I have created a simple alert in ESA, however it is not triggering at all. The meta keys used in correlation are device_type and ec_outcome and it needs to trigger when it reaches as a threshold of say 50 events. Rule shows as valid.
Can someone help me with some pointers as to why this is not trigerring?
Please refer attached images showing correlation rule and sample log file with meta key details
Thanks in advance!!