Hello,
I would like to create a Threshold rule to detect files downloaded more than 1 Go.
So in my firewall logs I have the field rcvd
where I can find this value, and I to test that, I tested to download a file with 1.7 Go, and I could see that in the discover app as we can see in the picture below:
But when I try to create an threshold rule to detect that, and I run preview results
, it doesn't detect it.
I have configured it like that:
index patterns : firewall-*
Custom query: rcvd: *
Field : rcvd
Threshhold : it detect something when I use 1000 but more than 4000 it not detect anaything
Could you tell me please why in the discover section I am seeing the rcvd
which is equal to 1844015137
but the threshold
job couldn't see it ?
Thanks for your help