I want to make a rule based off the following logic: A deviation in the packet size sent out by any one source IP from an average baseline built on its behavior. For that I am to use a deviation component in a correlative rule.
I am saving the packet size in a custom filed called Method. (This is just an example so don't worry about the details just stick with me for the concept of the problem)
I have set my deviation component in the following way:
Now, as you can see I am using the calculation type as "Distinct value" so I can deviate on something other then event count or severity. Yet this is the classification of the option "Distinct values" as set in the knowledge-base.
Distinct Values— The number of distinct values seen, for example 16 destination IP
Problem is, I want the value of the packet-size to exceed from its normal behavior not the amount of times a distinct value has appeared in the "Packet size" field (Or method in this case.)
Is the correlation I am asking for possible? And if so how would I implement it?
The field the packet size is parsed to needs to be an integer, and likely assigned to an index (possible custom field required and index assigned)
I want to say that you can use % over baseline on averages with an accumulator index, and it works as you are envisioning, but please take this with a grain of salt as I have not built this specific use case concept myself.
It appears that distinct value is the only option available, which will look at the changes in distinct values given in the field, and then give a baseline difference between typical values, and how many new values were seen.
It appears this cannot be done off of event data unfortunately. NetFlow data however you can.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.