I'm managing logs of a particular server, I'm defining an activity of a person with some username to be suspicious if there is sudden increase in their activity( i.e., user logs into server 100 times whereas on average he logs in less than half <50).
Help me creating a threshold based rule in the detection engine. If this is not possible by this, suggest me a way. My logs looks like this:
Yes this would be best solved with a Machine Learning rule, because Elastic doesn't do baselining and trigger rules based on going above the baseline. So Machine learning will be your best bet. You should join the slack for a quicker response https://ela.st/slack.