1 Reply Latest reply on Jan 4, 2017 1:27 AM by viresh_sec

    Predicticting possible DDOS attack on internet leased line of organization through use of SIEM deviation rule


      I created a a deviation rule on SIEM for predicting possible DDOS attack on internet leaased line of the organization. I used Deviation type= standard deviation, deviation operator = greater than, calculation type = total value, deviation field= source bytes, sample size= 7 Hours. I kept the thershold = 1.5 for testing, but rule did not triggered. When I changed the calculation type from total value to average per event then rule got triggered.



      Why rule did not triggered on total value ? I want it to be triggered on "total value" rather than "average per event".

      Moreover I want to clear my doubt that when I drilled down the triggered correlation rule I found detail of deviation data that " sample size was "hour" and sample count was "7". Did deviation rule make base line of single sample size = 7 hours or last five sample sizes = 35 hours ?