You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We ran the following ES|QL query and see no datasets causing the alerts
from logs-*
| where host.id is not null and elastic_agent.id is not null
| stats hosts_per_agent = count_distinct
(host.id) by elastic_agent.id, data_stream.dataset
| where hosts_per_agent > 1
| sort hosts_per_agent desc | keep hosts_per_agent, data_stream.dataset
Example Data
No response
The text was updated successfully, but these errors were encountered:
Link to Rule
No response
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
Related to #3613
Receiving a very high rate of false positives for this rule.
The
host.id
is null for these alerts.Rule is up to date with changes from #3790
We ran the following ES|QL query and see no datasets causing the alerts
Example Data
No response
The text was updated successfully, but these errors were encountered: