Newly created Incident Management (IM) aggregation rules for ESA alerts are processing old alerts. For instance, if an aggregation rule is created today, alerts in Incident Management Alerts Or SecOps Incidents contain alerts going as far back as a couple of months.
By default, aggregation rules will look up all the alerts in the alert database.
In the aggregation rule, there is an option to select alerts based on "Date Created". Add a condition for "Date Created" that is greater than or equal to the date desired in the aggregation rule itself.
In 11.X version,
If Query Mode is Advanced for Incident rules, please use below syntax for Incident creation greater than the required date.