Excessive denied SMB traffic

How should I write Elastic rule that detect if excessive denied SMB traffic from a single host?

Hello there :wave:,

It is dependent on the data source you are using, but I assume you may be referring to firewall logs due to "denying".

The easiest way would be to use a threshold rule similar to the following:

.

There are other options as well that may make sense, depending on the data and expectations. The best way to discuss these are directly within our detection-rules repo. If you open an issue, you can collaborate with the team to come up with a solution (and possibly merge into production).

We also have several existing rules which target SMB traffic in various ways.

Hope this helps!

Justin