cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Deviation of distinct value

I want to make a rule based off the following logic: A deviation in the packet size sent out by any one source IP from an average baseline built on its behavior. For that I am to use a deviation component in a correlative rule.

I am saving the packet size in a custom filed called Method. (This is just an example so don't worry about the details just stick with me for the concept of the problem)

I have set my deviation component in the following way:

Packet.PNG

Now, as you can see I am using the calculation type as "Distinct value" so I can deviate on something other then event count or severity. Yet this is the classification of the option "Distinct values" as set in the knowledge-base.

  • Distinct Values — The number of distinct values seen, for example 16 destination IP

Problem is, I want the value of the packet-size to exceed from its normal behavior not the amount of times a distinct value has appeared in the "Packet size" field (Or method in this case.)

Is the correlation I am asking for possible? And if so how would I implement it?

 

Labels (2)
1 Reply
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Deviation of distinct value

Possibly,

The field the packet size is parsed to needs to be an integer, and likely assigned to an index (possible custom field required and index assigned)

I want to say that you can use % over baseline on averages with an accumulator index, and it works as you are envisioning, but please take this with a grain of salt as I have not built this specific use case concept myself.

 

::EDIT::

It appears that distinct value is the only option available, which will look at the changes in distinct values given in the field, and then give a baseline difference between typical values, and how many new values were seen.

It appears this cannot be done  off of event data unfortunately. NetFlow data however you can.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community