ML job - detect new port

Hi,

I am sending vulnerability scan results into the SIEM and trying to detect new ports scanned for an assest.

Ive tried using Rare, by field: port and partition: asset but the results are coming back empty. It could be that theres not enough data, any suggestions on what i could use?

Thanks

Yes, this is a situation in which there is likely not enough data. Have you fed at least 20 bucket_span's worth of "normal" data for each partition before expecting to detect that which is "rare"?

Hi,

No there is very little data at the moment, i will have to think of another solution. Each scan only runs once per month/quarter, for each scan an asset might have a small number of events for the given port.