I would love to have threshold for fist event until a specific daily time.
Lets say for exemplo i want the fist event X to be notifield, then the threshold resets at 17:00 daily, ultil the rest time i do not receive any more alerts.
Due to recent information security exigences, we need to raise alerts whenever an elevated account is used, althoug in our company we have a few users which have elevated access and are used normally.
So we have created an event alert over auditing event 4624 to send a MS-Teams message to specific group whenever one of those accounts login.
This event, raises too much alerts, so we have placed a thereshold with username/ip/logintype to avoid to much alerts, but it would be quite nice if those alerts reset at especific times.
Ultimatelly, what we need is to detect any possible "anamolous usage" of privileged accounts "real time" and also register for later analisys, this way info-sec will be happy (since there is no way to request two factor for local ad logins)
You are correct, thresholds start whenever the first event is logged, and this not currently a way to reset them at a specific time.
May I ask what you are ultimately trying to achieve with this setup? There may be a work-around using filter timers in EventSentry. If you can tell us exactly what you are trying to achieve then we can hopefully come up with a way to do this without adding additional functionality.