I would like help on grouping/aggregation on ESA. When I create a rule with a threshold, the alert triggers for the defined threshold and does not constitute events up and above the defined threshold.
For example, let's consider a rule where I am looking for 10 failed login events in 1 minute from the same user. The alert fires when there are 10 such events and the alert shows these 10 events associated with the alert. But if there are more than 10 events from the same user, the count does not go up in the Alert view. I would like to have the exact number of events show in the Alert view in the defined timeline and if there are future events from the same user, they should get added to the same alert and not create a different alert.
As you see in the pic above, the alert shows 10 events even though I had injected 15 events or more for each unique user.
Is that possible?
Also in the alert detailed view, sometimes username does not show even though it is present in the raw log and being parsed. Is there any configuration that needs to be defined for the alert view to be associated with specific meta keys?