I'm managing logs of a particular server, I'm defining an activity of a person with some username to be suspicious if there is sudden increase in their activity( i.e., user logs into server 100 times whereas on average he logs in less than half <50).
Help me creating a threshold based rule in the detection engine. If this is not possible by this, suggest me a way. My logs looks like this:
10.0.0.10 - username [21/Sep/2020:04:27:18 +0000] "GET /svn/repos HTTP/1.1" 200 289
I this task achievable by elastalert if not here?