i want to diagnostic brute force attacks on source ip . my query is login fail on logs.
i see this type anomalies by machine learning :
i think there is not anomaly for src ip :192.168.1.61 , because actual value is 2 .
how can i set configs for anomaly actual value ?
for this example actual >= 200
can i create such machine learnings by aggregated machine learnings and filter doc_count ?
i think this is a bad solution because records ommited from machine learnings.
i want filtered actual vaule affect on max severity.