0 Replies Latest reply on Oct 6, 2015 2:35 AM by minsktractorworks

    Understanding an Email Volume Correlation Rule

    minsktractorworks

      HI All,

       

      The following correlation rule came as part of an email content pack and I want to change it slightly but want to make sure I understand what it is doing as testing the deviation correlation rules is harder than event based ones.

       

      The correlation rule in question is "Email - Abnormal Volumes of Outbound Email" and looks as below. The "filter" gate has a threshold number of events of 1000 in one hour.

       

      3.PNG

       

      4.PNG

       

      What I am wondering is the following:

       

      1. Is the "Filter" component there to ensure correlation only occurs if there are more then 1000 emails in addition to the "Event Count" deviating by more than 1.5 standard deviations? Therefore if an IP sends 900 emails, which deviates by more than 1.5 standard deviations from it's baseline, it will not trigger?
      2. Can I simply change the "Group By" field to "Source User" to correlate when a single users sends more than their baseline rather than an IP/Host?

       

      Cheers for any help on this.