The outer query is the event query, and the inner query is the event query.

The outer query is the event query, and the inner query is the CMDB query.

The outer query is the CMDB query, and the inner query is the event query.

The outer query is the CMDB query, and the inner query is the CMDB query.

Group By automatically applies a COUNT aggregation.

Group By is applied to real-time and historical searches.

Group By cannot be applied to an aggregated function.

Group By is applied to historical searches only.

1800 seconds

Null

1 day

30 minutes

The rule filters events with an event type that equals Domain Account Locked and a reporting IP that equals Domain Controller applications.

The rule filters events with an event type that belong to the Domain Account
Locked CMDB group or a reporting IP that belong to the Domain Controller applications group.

The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting IP that belong to the Domain Controller applications group.

The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a user that belongs to the Domain Controller applications group.

Within five minutes, the packet loss percentage dropped to a level where the host IP of the original rule matches the host IP of the clear condition pattern

Within five minutes the packet loss percentage dropped to a level where the reporting IP is the same as the host IP

The original rule did not trigger within five minutes

Within five minutes, the packet loss percentage dropped to a level where the reporting IP is same as the source IP