I want to make an Alert, as soon as a Application gets startet (in this case Firefox). But for somehow, always 4 or more alerts get triggered. But the Alerts are exact the same to each other, theres not a single diffrent in the whole alert. How can I reach, that I only get one Alert for all of these same Alerts, that are also in the exact same time? (Also, when I just use it as a search, it perfectly works fine too)
My Search:
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" (Image="C:\\Program Files\\Mozilla Firefox\\firefox.exe") | stats first(*) by ParentProcessId
My Alert conditions:
Real-Time
Number of Results: Equals 2 (It only works with 2, dont know why)
In 1 Minute
Triggers Once
Add to Triggered Alerts
... View more