How should I write Elastic rule that detect if excessive denied SMB traffic from a single host?
Hello there 
,
It is dependent on the data source you are using, but I assume you may be referring to firewall logs due to "denying".
The easiest way would be to use a threshold rule similar to the following:
.
There are other options as well that may make sense, depending on the data and expectations. The best way to discuss these are directly within our detection-rules repo. If you open an issue, you can collaborate with the team to come up with a solution (and possibly merge into production).
We also have several existing rules which target SMB traffic in various ways.
Hope this helps!
Justin
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.