madduck
September 7, 2020, 12:29pm
2
Hi Kambing,
What you are trying to do is not possible with the static detection rules. You might want to look into Machine Learning rules.
A similar question was asked two weeks ago, if you want to read a bit here is a link:
Hi
I am playing with the SIEM capability and have been using it since it was released with custom queries. I am now looking at Threshold based detection in v7.9 - something I think will be very useful.
I'm not sure if this is possible at the moment or a future capability but is there a method of the threshold considering aggregations and unique values?
There are a few use cases but as an example, I would like to know if a user connects inbound over the VPN from multiple locations. So if I l…
1 Like