Hi,
I am sending vulnerability scan results into the SIEM and trying to detect new ports scanned for an assest.
Ive tried using Rare, by field: port and partition: asset but the results are coming back empty. It could be that theres not enough data, any suggestions on what i could use?
Thanks
Yes, this is a situation in which there is likely not enough data. Have you fed at least 20 bucket_span's worth of "normal" data for each partition before expecting to detect that which is "rare"?
Hi,
No there is very little data at the moment, i will have to think of another solution. Each scan only runs once per month/quarter, for each scan an asset might have a small number of events for the given port.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.