I try to create a rule to detect a network scan.
For example, generate an alert if more than 10 unique destinations have been accessed from the same source IP within 1 minute.
but I don't see how to indicate the 1min in a threshold rule for example
Hey @TheMadmax! Welcome to Elastic community!
You are right, there is no time interval within a threshold rule configuration.
But I believe, playing with rule schedule interval could achieve the result for your use case: Create a detection rule | Elastic Security Solution [8.7] | Elastic
For example by setting rule interval to 1m
Ok,I suspected a little, thanks !
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.