Predicticting possible DDOS attack on internet leased line of organization through use of SIEM deviation rule
I created a a deviation rule on SIEM for predicting possible DDOS attack on internet leaased line of the organization. I used Deviation type= standard deviation, deviation operator = greater than, calculation type = total value, deviation field= source bytes, sample size= 7 Hours. I kept the thershold = 1.5 for testing, but rule did not triggered. When I changed the calculation type from total value to average per event then rule got triggered.
Why rule did not triggered on total value ? I want it to be triggered on "total value" rather than "average per event".
Moreover I want to clear my doubt that when I drilled down the triggered correlation rule I found detail of deviation data that " sample size was "hour" and sample count was "7". Did deviation rule make base line of single sample size = 7 hours or last five sample sizes = 35 hours ?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.