I am looking for the count of alerts based on time period it occurred.
For example : excessive failed logins has occurred 250 times in last 24hrs
or watchlisted event observed has occurred 10 times in last 24hrs.
I see that this feature is available in security posture but since it uses 'es_notable_events' it takes events outside the time boundaries
I think you're asking how to show alerts that exceed a pre-defined threshold within a fixed time period. If so, can you try this:
index=[index_name] action=failed | bucket _time span=24h | stats count by src_ip,username | where count >= 250
I think it might be better to narrow your time window because if someone were trying to brute-force a login, it would be a high fail count in a short amount of time unless they are really trying to be covert. 250 events in 24 hours is averaging 10/hour. I'd look for something like >10 in 5 minutes. Unless of course your system locks the account after X failed logins within 15 mins or so, hence the slow roll of 250 over the course of 24 hours. Just at thought!