I created a a deviation rule on SIEM for predicting possible DDOS attack on internet leaased line of the organization. I used Deviation type= standard deviation, deviation operator = greater than, calculation type = total value, deviation field= source bytes, sample size= 7 Hours. I kept the thershold = 1.5 for testing, but rule did not triggered. When I changed the calculation type from total value to average per event then rule got triggered.
Why rule did not triggered on total value ? I want it to be triggered on "total value" rather than "average per event".
Moreover I want to clear my doubt that when I drilled down the triggered correlation rule I found detail of deviation data that " sample size was "hour" and sample count was "7". Did deviation rule make base line of single sample size = 7 hours or last five sample sizes = 35 hours ?
I used flow data of gateway router of organization in above mentioned rule for Deviation field= source bytes.