Extend queryPeriod & avoid redundancies#11
Open
Robin-Haeussler wants to merge 1 commit intof-bader:masterfrom
Open
Extend queryPeriod & avoid redundancies#11Robin-Haeussler wants to merge 1 commit intof-bader:masterfrom
Robin-Haeussler wants to merge 1 commit intof-bader:masterfrom
Conversation
Increased queryPeriod from 12 minutes to 22 minutes to counter a potential blindspot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi @f-bader, I believe I've found a potential blindspot in the detection, due to a too short queryPeriod based on the time span set in your query. Let ,me explain this via a fictional example: The enumeration event happens at 11:55 and the GetBlob event at 12:03, so the detection should hit on those events in theory. If the detection runs at 12:00, nothing happens since only one event (enumeration) occured thus far. If it then runs at 12:10 again, due to its 10m queryFrequency, it picks up the second event (GetBlob at 12:03), however it will not hit since the enumeration has slipped out of the lookback (happened 15m ago, but our queryPeriod is only 12m). So to solve this, what do you think about this proposed change to queryPeriod? The change to the query with new line 36 would eliminate potential redundant alerting as a result of the increased queryPeriod.