Creating a threshold based rule in the detection engine

I'm managing logs of a particular server, I'm defining an activity of a person with some username to be suspicious if there is sudden increase in their activity( i.e., user logs into server 100 times whereas on average he logs in less than half <50).

Help me creating a threshold based rule in the detection engine. If this is not possible by this, suggest me a way. My logs looks like this: - username [21/Sep/2020:04:27:18 +0000] "GET /svn/repos HTTP/1.1" 200 289

I this task achievable by elastalert if not here?

machine learning might be able to achieve yhis

Yes this would be best solved with a Machine Learning rule, because Elastic doesn't do baselining and trigger rules based on going above the baseline. So Machine learning will be your best bet. You should join the slack for a quicker response

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.