SMB traffic spike

Hi, we have Palo Alto logs in our elasticsearch database. I need to do anomaly detection based on SMB traffic. How can I do that ? My first attempt was to set destination.port to 445 or 139, but couldn't find a way to specify that when doing the machine learning part. There was " event count" but it counts all events from the data. How can set it to only include the data which destination port is SMB and do the machine learning based on that?

Try to create a search in Discover filtering those ports, save that search and then when creating the ML job point to this saved search as the data source instead of the index pattern of your data.

1 Like