Alert for detection of anormal increase of logs
I would like to detect when an event source is sending much more logs (in general) than usual.
For example, a firewall is sending 200 events per minute and for a reason X or Y we receive 2000 events per minute during a brief period, this is not normal so i would like to trigger an alert.
What I want is an alert is triggerd when the average activity increases. So don't want to monitor a specific message ID but the average amount of logs received instead.
Have some tips, existing rules or explanation to help me?
Thank you in advance for your help.
All you need to do is add a threshold to your alert or correlation rule.
Chose the option that reads"
"Consider if the number of alerts
This tells enVision to generate alarms when the quantity of qualifying messages either exceeds or falls short of the calculated baselines by the appropriate amount.
I hope that helps!