The issue we are having is that there seems to be no way of telling when a critical asset stops sending logs to the SIEM. We recently had one of the high level engineers come to our company for a Q+A and he confirmed for us that this is the case.
As a work around I am trying to create a Correlation rule with the following logic:
1. Sources are Critical Asset group
2. If there are < 5 events in 2 hrs trigger
Seems to me that this should be an effective work around - however, I cannot seem to remove the default "threshold" count of 1 from the rule. Because of that the rule will never trigger because it is ALWAYS expecting at least one event.
Does anyone know how I can solve this or do you have a workaround for this use case??