[AI team Event iQ telemetry]
action.email.sendresults                   = 0
action.outputtelemetry                     = 1
action.outputtelemetry.param.anonymous     = 1
action.outputtelemetry.param.support       = 0
action.outputtelemetry.param.license       = 0
action.outputtelemetry.param.optinrequired = 3
action.outputtelemetry.param.component     = app.SA-ITSI-AlertCorrelation
action.outputtelemetry.param.input         = data
action.outputtelemetry.param.type          = aggregate
alert.track                                = false
counttype                                  = number of events
relation                                   = greater than
quantity                                   = 0
cron_schedule                              = 33 3 * * *
description                                = Sends anonymous telemetry for the AI teams aspect of Event iQ in ITSI
disabled                                   = False
dispatch.earliest_time                     = -1d@d
dispatch.latest_time                       = @d
enableSched                                = 1
is_visible                                 = false
schedule_window                            = auto
search                                     = index="_internal" source=*rules* itsi_ai_telemetry \
| rex field=_raw "itsi_ai_telemetry: (?<message>.*)" \
| stats count by message \
| table message, count \
| tojson output_field=data \
| table data