I am creating ESA Rules, but I see that alert generated by these rules usually contains only one event, not all events that participated in creation of the alert. I would like to add all related events into the alert for some of the rules.
Example of one of the rules:
SELECT * FROM Event(
<some filters here>
GROUP BY (esa_time).withTime(0, 0, 0, 0), user_src
HAVING COUNT(*) = 10 ;
This rule triggers an alert when we receive 10 events of specific type in one calendar day. The alert contains only 10th event.
How can I add all 10 events to the alert?
I know that one of the possibilities is using batch window or time batch window for accumulating the events until specific amount or time is reached and then releasing them all into the alert. Is there any other way how to achieve that?