1 of 1 people found this helpful
1. Create a watchlist of "normal" ports being used and while creating rule select the watchlist and condition to be "Not In" the normal watchlist, This should work
2. I will get back to you on that
Thank you. My only concern there is I would need to define the ports myself. I suspect the SIEM can leverage a deviation from baseline to alert on a port it has not historically seen. This way the determination can be made if some new software was added or if there is a security concern.
For your second question, use a Watchlist, set as dynamic and use a regex that will pick usernames that are not allowed.
Watchlists are limited to 10k (9.1) or 25k (9.2) items.
You can then use the watchlist in a correlation rules for events where accounts are created.